diff options
| author | Alex Williamson <alex.williamson@redhat.com> | 2013-01-15 10:45:26 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-01-27 20:49:00 -0800 |
| commit | 87c7746150f3c90b23837817af9be414baf7e25b (patch) | |
| tree | 603ca94ba5ad3329b3974f32e2ff1e0d7c73d768 | |
| parent | 9b19e974ebb8ae156e03a6ad7361b8c7134e68a0 (diff) | |
| download | lwn-87c7746150f3c90b23837817af9be414baf7e25b.tar.gz lwn-87c7746150f3c90b23837817af9be414baf7e25b.zip | |
vfio-pci: Fix buffer overfill
commit ec1287e511320a2c9a02640b7ac02d5d79f56f08 upstream.
A read from a range hidden from the user (ex. MSI-X vector table)
attempts to fill the user buffer up to the end of the excluded range
instead of up to the requested count. Fix it.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/vfio/pci/vfio_pci_rdwr.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c index 4362d9e7baa3..f72323ef618f 100644 --- a/drivers/vfio/pci/vfio_pci_rdwr.c +++ b/drivers/vfio/pci/vfio_pci_rdwr.c @@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf, filled = 1; } else { /* Drop writes, fill reads with FF */ + filled = min((size_t)(x_end - pos), count); if (!iswrite) { char val = 0xFF; size_t i; - for (i = 0; i < x_end - pos; i++) { + for (i = 0; i < filled; i++) { if (put_user(val, buf + i)) goto out; } } - filled = x_end - pos; } count -= filled; |