diff options
| author | Alex Williamson <alex.williamson@redhat.com> | 2013-01-15 12:45:26 -0500 |
|---|---|---|
| committer | Alex Williamson <alex.williamson@redhat.com> | 2013-01-15 12:45:26 -0500 |
| commit | ec1287e511320a2c9a02640b7ac02d5d79f56f08 (patch) | |
| tree | 80cb8ec5f4990a80b61a5b6707fd09d808ca64fd /drivers/vfio/pci/vfio_pci_rdwr.c | |
| parent | 406089d01562f1e2bf9f089fd7637009ebaad589 (diff) | |
vfio-pci: Fix buffer overfill
A read from a range hidden from the user (ex. MSI-X vector table)
attempts to fill the user buffer up to the end of the excluded range
instead of up to the requested count. Fix it.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/vfio/pci/vfio_pci_rdwr.c')
| -rw-r--r-- | drivers/vfio/pci/vfio_pci_rdwr.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c index 4362d9e7baa3..f72323ef618f 100644 --- a/drivers/vfio/pci/vfio_pci_rdwr.c +++ b/drivers/vfio/pci/vfio_pci_rdwr.c | |||
| @@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf, | |||
| 240 | filled = 1; | 240 | filled = 1; |
| 241 | } else { | 241 | } else { |
| 242 | /* Drop writes, fill reads with FF */ | 242 | /* Drop writes, fill reads with FF */ |
| 243 | filled = min((size_t)(x_end - pos), count); | ||
| 243 | if (!iswrite) { | 244 | if (!iswrite) { |
| 244 | char val = 0xFF; | 245 | char val = 0xFF; |
| 245 | size_t i; | 246 | size_t i; |
| 246 | 247 | ||
| 247 | for (i = 0; i < x_end - pos; i++) { | 248 | for (i = 0; i < filled; i++) { |
| 248 | if (put_user(val, buf + i)) | 249 | if (put_user(val, buf + i)) |
| 249 | goto out; | 250 | goto out; |
| 250 | } | 251 | } |
| 251 | } | 252 | } |
| 252 | 253 | ||
| 253 | filled = x_end - pos; | ||
| 254 | } | 254 | } |
| 255 | 255 | ||
| 256 | count -= filled; | 256 | count -= filled; |