misc: mic: fix possible signed underflow (undefined behavior) in userspace API

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

iovcnt is declared as a signed integer in both the userspace API and
as a local variable in mic_virtio.c. The while() loop in mic_virtio.c
iterates until the local variable iovcnt reaches the value 0. If
userspace passes e.g. INT_MIN as iovcnt field, this loop then appears
to depend on an undefined behavior (signed underflow) to complete.
The fix is to use unsigned integers in both the userspace API and
the local variable.

This issue was reported @ https://lkml.org/lkml/2014/1/10/10

Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Sudeep Dutt <sudeep.dutt@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Sudeep Dutt and committed by

Greg Kroah-Hartman 12 years ago 3b1cc9b9 01ab1167

+3 -2

2 changed files

expand all

drivers

misc

mic

host

mic_virtio.c

include

uapi

linux

mic_ioctl.h

+2 -1

drivers/misc/mic/host/mic_virtio.c

··· 156 156 static int _mic_virtio_copy(struct mic_vdev *mvdev, 157 157 struct mic_copy_desc *copy) 158 158 { 159 - int ret = 0, iovcnt = copy->iovcnt; 159 + int ret = 0; 160 + u32 iovcnt = copy->iovcnt; 160 161 struct iovec iov; 161 162 struct iovec __user *u_iov = copy->iov; 162 163 void __user *ubuf = NULL;

+1 -1

include/uapi/linux/mic_ioctl.h

··· 39 39 #else 40 40 struct iovec *iov; 41 41 #endif 42 - int iovcnt; 42 + __u32 iovcnt; 43 43 __u8 vr_idx; 44 44 __u8 update_used; 45 45 __u32 out_len;