From patchwork Mon Jan 18 16:29:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Insu Yun X-Patchwork-Id: 8056271 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 9BEE6BEEE5 for ; Mon, 18 Jan 2016 16:41:31 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id C7FD6203E3 for ; Mon, 18 Jan 2016 16:41:30 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0D278203C3 for ; Mon, 18 Jan 2016 16:41:30 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLCq3-0004I4-3d; Mon, 18 Jan 2016 16:39:31 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLCeC-0002kq-JO for xen-devel@lists.xenproject.org; Mon, 18 Jan 2016 16:27:16 +0000 Received: from [85.158.139.211] by server-4.bemta-5.messagelabs.com id 30/14-24856-3621D965; Mon, 18 Jan 2016 16:27:15 +0000 X-Env-Sender: wuninsu@gmail.com X-Msg-Ref: server-9.tower-206.messagelabs.com!1453134434!16571299!1 X-Originating-IP: [209.85.160.178] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3883 invoked from network); 18 Jan 2016 16:27:15 -0000 Received: from mail-yk0-f178.google.com (HELO mail-yk0-f178.google.com) (209.85.160.178) by server-9.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 18 Jan 2016 16:27:15 -0000 Received: by mail-yk0-f178.google.com with SMTP id k129so595770265yke.0 for ; Mon, 18 Jan 2016 08:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=Re+6WW2OrRongcU2UrLytz1jqhEKDAecECJKwi8EKG4=; b=0oAAYzzPCRnCXi6X0OO7EB7kREHccmh+w011t0DVGit8gs3w3j0BtYjffMB83Ca+Bf X3PAtgbXyi22zk/8jRcXt1FGXDOi2CIM+wzsJ53S/hSJ4AR4jkT3XkJEAJtOWsVDKCK1 6TvJHg5ri3IRUkRHwsjISfAgUvydusqPnke/+KYO7W55fq7sMPbGxpgo99weSnvKHe0w dgwWRTQQeZ/CZMGqO6d4h1boVuyeL8xeKaGyqQLfp2IeyQX+WBJHxB/rzspBvvSFUWEf 5dsZkMxrkheIG1at1urpf5vd11y9zGaEdcM05UGtBdbyLtHe8Ccx5orZbC8EqiQECoOa cLdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Re+6WW2OrRongcU2UrLytz1jqhEKDAecECJKwi8EKG4=; b=En3/ho4/99vVfGOs1bLvD5oulL3xm3DbtD3hB7neNpaSfLEv2pQJg1l0D09L6dpO6y oVjad/ba6VIb18oOZJ7YQB1QZqGYt8x6s1qonRh7dos/IdiJm2tOroRdiojMyZ/fKN2I U2WkhKotS7emLbFEz4eND+nKOhKnDYljHRXbdyzNai0Y76wPoh/wO0pnMIS0n36KW0r3 T2pE7taTnlkm9u3DoJLSY+fL7jb47nA38E53YPTQkZidzs0opszN9CqvM909APWNi0Zg WP7Hbd4HFDYLY1JMWzf9CNZE3X3br8wlNC8lPnnM6jacTCp5SF3+gwcDQMzDR/ilHxOS 6KqQ== X-Gm-Message-State: ALoCoQm50lwJlwNy4ZzLVEYWPf/VEeFjonWZUsuqIdxRE4h1BxWGT6u17hno1gt1aH0S0lL89eGJ9pKp5aHfidmGvoGw66nY0A== X-Received: by 10.13.218.196 with SMTP id c187mr16895178ywe.232.1453134434263; Mon, 18 Jan 2016 08:27:14 -0800 (PST) Received: from insu.gtisc.gatech.edu (insu.gtisc.gatech.edu. [143.215.130.94]) by smtp.gmail.com with ESMTPSA id v5sm15960133ywd.49.2016.01.18.08.27.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 Jan 2016 08:27:13 -0800 (PST) From: Insu Yun To: konrad.wilk@oracle.com, boris.ostrovsky@oracle.com, david.vrabel@citrix.com, Jennifer.Herbert@citrix.com, xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org Date: Mon, 18 Jan 2016 11:29:07 -0500 Message-Id: <1453134547-13875-1-git-send-email-wuninsu@gmail.com> X-Mailer: git-send-email 1.9.1 X-Mailman-Approved-At: Mon, 18 Jan 2016 16:39:29 +0000 Cc: yeongjin.jang@gatech.edu, taesoo@gatech.edu, insu@gatech.edu, Insu Yun , changwoo@gatech.edu Subject: [Xen-devel] [PATCH] xen: fix potential integer overflow in queue_reply X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When len is greater than UINT_MAX - sizeof(*rb), in next allocation, it can overflow integer range and allocates small size of heap. After that, memcpy will overflow the allocated heap. Therefore, it needs to check the size of given length. Signed-off-by: Insu Yun --- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index 9433e46..b45ed69 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len) { struct read_buffer *rb; - if (len == 0) + if (len == 0 || len >= UINT_MAX - sizeof(*rb)) return 0; rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL);