summaryrefslogtreecommitdiff
path: root/drivers/misc/vmw_vmci/vmci_queue_pair.c
diff options
context:
space:
mode:
authorJorgen Hansen <jhansen@vmware.com>2015-03-02 08:19:11 -0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2015-03-25 11:32:15 +0100
commitaa6467f190d32b263f7144239c89c63c922d9ff8 (patch)
tree31c580c58722854adb00b2bd991f8ca17913869c /drivers/misc/vmw_vmci/vmci_queue_pair.c
parent74b5c297f5ecbef0ca128fa7b385b43f036a7984 (diff)
downloadlwn-aa6467f190d32b263f7144239c89c63c922d9ff8.tar.gz
lwn-aa6467f190d32b263f7144239c89c63c922d9ff8.zip
VMCI: Guard against overflow in queue pair allocation
The current maximum size of a queue in a queue pair is 128 MB. If we increase that in the future, the queue pair allocation routines may run into overflow issues. This change adds additional checks to guard against this. Acked-by: Andy King <acking@vmware.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jorgen Hansen <jhansen@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc/vmw_vmci/vmci_queue_pair.c')
-rw-r--r--drivers/misc/vmw_vmci/vmci_queue_pair.c31
1 files changed, 22 insertions, 9 deletions
diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
index c3849456332e..f42d9c4e4561 100644
--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
+++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
@@ -295,12 +295,20 @@ static void *qp_alloc_queue(u64 size, u32 flags)
{
u64 i;
struct vmci_queue *queue;
- const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
- const size_t pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);
- const size_t vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);
- const size_t queue_size =
- sizeof(*queue) + sizeof(*queue->kernel_if) +
- pas_size + vas_size;
+ size_t pas_size;
+ size_t vas_size;
+ size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if);
+ const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+
+ if (num_pages >
+ (SIZE_MAX - queue_size) /
+ (sizeof(*queue->kernel_if->u.g.pas) +
+ sizeof(*queue->kernel_if->u.g.vas)))
+ return NULL;
+
+ pas_size = num_pages * sizeof(*queue->kernel_if->u.g.pas);
+ vas_size = num_pages * sizeof(*queue->kernel_if->u.g.vas);
+ queue_size += pas_size + vas_size;
queue = vmalloc(queue_size);
if (!queue)
@@ -615,10 +623,15 @@ static int qp_memcpy_from_queue_iov(void *dest,
static struct vmci_queue *qp_host_alloc_queue(u64 size)
{
struct vmci_queue *queue;
- const size_t num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
+ size_t queue_page_size;
+ const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
- const size_t queue_page_size =
- num_pages * sizeof(*queue->kernel_if->u.h.page);
+
+ if (num_pages > (SIZE_MAX - queue_size) /
+ sizeof(*queue->kernel_if->u.h.page))
+ return NULL;
+
+ queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page);
queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);
if (queue) {