vfio-mdev: buffer overflow in ioctl()

This is a sample driver for documentation so the impact is probably
pretty low.  But we should check that bar_index is valid so we
don't write beyond the end of the mdev_state->region_info[] array.

Fixes: 9d1a546c53b4 ("docs: Sample driver to demonstrate how to use Mediated device framework.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Kirti Wankhede <kwankhede@nvidia.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/samples/vfio-mdev/mtty.c b/samples/vfio-mdev/mtty.c
index 975af5bbf28d..382f4797428f 100644
--- a/samples/vfio-mdev/mtty.c
+++ b/samples/vfio-mdev/mtty.c
@@ -1073,7 +1073,7 @@ int mtty_get_region_info(struct mdev_device *mdev,
 {
         unsigned int size = 0;
         struct mdev_state *mdev_state;
-        int bar_index;
+        u32 bar_index;
 
         if (!mdev)
                 return -EINVAL;
@@ -1082,8 +1082,11 @@ int mtty_get_region_info(struct mdev_device *mdev,
         if (!mdev_state)
                 return -EINVAL;
 
-        mutex_lock(&mdev_state->ops_lock);
         bar_index = region_info->index;
+        if (bar_index >= VFIO_PCI_NUM_REGIONS)
+                return -EINVAL;
+
+        mutex_lock(&mdev_state->ops_lock);
 
         switch (bar_index) {
         case VFIO_PCI_CONFIG_REGION_INDEX: