On 07/14/2016 08:17 PM, Stefan Hajnoczi wrote:
+/* Read FIT data, defined in docs/specs/acpi_nvdimm.txt. */ +static void nvdimm_dsm_func_read_fit(NvdimmDsmIn *in, hwaddr dsm_mem_addr) +{ + NvdimmFuncReadFITIn *read_fit; + NvdimmFuncReadFITOut *read_fit_out; + GSList *device_list = nvdimm_get_plugged_device_list(); + GArray *fit = nvdimm_build_device_structure(device_list); + uint32_t read_len = 0, func_ret_status; + int left, size; + + read_fit = (NvdimmFuncReadFITIn *)in->arg3; + le32_to_cpus(&read_fit->offset); + + nvdimm_debug("Read FIT: offset %#x FIT size %#x.\n", read_fit->offset, + fit->len); + + left = fit->len - read_fit->offset; + if (left < 0) {Signed integer overflow leads to memory disclosure in memcpy() below. The problem occurs when (guint)fit->len - (uint32_t)read_fit->offset > INT_MAX. Please perform the check like this: if (fit->offset >= fit->len) {
Ah, yes, you are right, thank you for pointing it out. Will fix it.
