summaryrefslogtreecommitdiff
path: root/drivers/vfio
diff options
context:
space:
mode:
authorAlex Williamson <alex.williamson@redhat.com>2013-01-15 10:45:26 -0700
committerAlex Williamson <alex.williamson@redhat.com>2013-01-15 10:45:26 -0700
commitec1287e511320a2c9a02640b7ac02d5d79f56f08 (patch)
tree80cb8ec5f4990a80b61a5b6707fd09d808ca64fd /drivers/vfio
parent406089d01562f1e2bf9f089fd7637009ebaad589 (diff)
downloadlwn-ec1287e511320a2c9a02640b7ac02d5d79f56f08.tar.gz
lwn-ec1287e511320a2c9a02640b7ac02d5d79f56f08.zip
vfio-pci: Fix buffer overfill
A read from a range hidden from the user (ex. MSI-X vector table) attempts to fill the user buffer up to the end of the excluded range instead of up to the requested count. Fix it. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/vfio')
-rw-r--r--drivers/vfio/pci/vfio_pci_rdwr.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
index 4362d9e7baa3..f72323ef618f 100644
--- a/drivers/vfio/pci/vfio_pci_rdwr.c
+++ b/drivers/vfio/pci/vfio_pci_rdwr.c
@@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf,
filled = 1;
} else {
/* Drop writes, fill reads with FF */
+ filled = min((size_t)(x_end - pos), count);
if (!iswrite) {
char val = 0xFF;
size_t i;
- for (i = 0; i < x_end - pos; i++) {
+ for (i = 0; i < filled; i++) {
if (put_user(val, buf + i))
goto out;
}
}
- filled = x_end - pos;
}
count -= filled;