From patchwork Mon Jan 18 16:54:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Insu Yun X-Patchwork-Id: 8056341 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id F14799F440 for ; Mon, 18 Jan 2016 16:55:20 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 2FD9F20414 for ; Mon, 18 Jan 2016 16:55:20 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6C739201CE for ; Mon, 18 Jan 2016 16:55:19 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLD2x-0006A1-62; Mon, 18 Jan 2016 16:52:51 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aLD2v-00069C-EE for xen-devel@lists.xenproject.org; Mon, 18 Jan 2016 16:52:49 +0000 Received: from [85.158.139.211] by server-4.bemta-5.messagelabs.com id 39/F1-24856-0681D965; Mon, 18 Jan 2016 16:52:48 +0000 X-Env-Sender: wuninsu@gmail.com X-Msg-Ref: server-9.tower-206.messagelabs.com!1453135967!16576764!1 X-Originating-IP: [209.85.160.172] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 51559 invoked from network); 18 Jan 2016 16:52:48 -0000 Received: from mail-yk0-f172.google.com (HELO mail-yk0-f172.google.com) (209.85.160.172) by server-9.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 18 Jan 2016 16:52:48 -0000 Received: by mail-yk0-f172.google.com with SMTP id v14so525584660ykd.3 for ; Mon, 18 Jan 2016 08:52:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=I8eE4zK5hZ+ZlAwQgq7nVf5WSuCJOiAEYf8fu8nA+24=; b=cSRJxSa555DAEgpaTy39nkHL7shkf3w+ijJTYPWBjzqO91MzE4gWVaww5tyryG6kR0 ZOZ2Z8YS2NvgQm+nIEz5qTa/TyxZD9Y7CbIWLODEdEtH0CIrvhkWjaOdt2DA9pksDQLu mwwraMhETExKK+9CC+++/fl3Q/+6qTZEHhn+cXq5b6oRW3SeExqXytckRvP7azhg2zVo h7kbtlHwr4V4edvgg6kMYNwLqrf95RuvLf0FcMRqKhNcMF0lfDiKp1hGBZTO5wbdKYlr IEueQk7obe6s3T/BwRfJUizhmAlQhmLWaur8KinzWeFya/3sOvISbeIcHS2UYLWdHtIG JhIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=I8eE4zK5hZ+ZlAwQgq7nVf5WSuCJOiAEYf8fu8nA+24=; b=Od0qEtw28T6M23VaV0T1T4X7sn7SeOolxUS4+WadLWAJ/G31DrI2Nqbq3BIN32B3t1 O/L2JqP7RjHom7pgH3aQFDWy0Sox/WmtIiDGn9T5NClng6olRTsBUm7DFuWbORAvmqmE 5cy2mFe/gYHZqazooTxHhWIwcM7OgVxa89I62dvVsdj8G4Dlt9/3Jc8i7qbRZJx6GzMx afVl2QlSYlCgIx8Leo1yfC38JnrT4IhXVDF5lOQCkTxmymWsf48P9XOeFvoUefsuUUeB 6lk6QgEu2LCaV07d8mLnMuycMjsV1PN6/Nk/bVc2JmZmRBWCQ8c9W5V31r3gxd9Le5MQ dnaQ== X-Gm-Message-State: ALoCoQmG3BgGXj80l9nD8MKsnzVVdnvwVwU1Ib6NGbKt8x01DtXzWIwOzJV2PNK+qGpn1ahmP177BnrjVog58b4ut1v2qBMbPw== X-Received: by 10.37.231.200 with SMTP id e191mr5713846ybh.148.1453135967199; Mon, 18 Jan 2016 08:52:47 -0800 (PST) Received: from insu.gtisc.gatech.edu (insu.gtisc.gatech.edu. [143.215.130.94]) by smtp.gmail.com with ESMTPSA id a126sm19011206ywe.11.2016.01.18.08.52.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 Jan 2016 08:52:46 -0800 (PST) From: Insu Yun To: konrad.wilk@oracle.com, boris.ostrovsky@oracle.com, david.vrabel@citrix.com, Jennifer.Herbert@citrix.com, xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org Date: Mon, 18 Jan 2016 11:54:43 -0500 Message-Id: <1453136083-14855-1-git-send-email-wuninsu@gmail.com> X-Mailer: git-send-email 1.9.1 Cc: yeongjin.jang@gatech.edu, taesoo@gatech.edu, insu@gatech.edu, Insu Yun , changwoo@gatech.edu Subject: [Xen-devel] [PATCH v2] xen: fix potential integer overflow in queue_reply X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When len is greater than UINT_MAX - sizeof(*rb), in next allocation, it can overflow integer range and allocates small size of heap. After that, memcpy will overflow the allocated heap. Therefore, it needs to check the size of given length. Signed-off-by: Insu Yun --- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index 9433e46..912b64e 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -188,6 +188,8 @@ static int queue_reply(struct list_head *queue, const void *data, size_t len) if (len == 0) return 0; + if (len > XENSTORE_PAYLOAD_MAX) + return -EINVAL; rb = kmalloc(sizeof(*rb) + len, GFP_KERNEL); if (rb == NULL)