On Thu, Jan 19, 2023 at 03:57:18PM +0200, Alexander Shishkin wrote: > From: Andi Kleen <[email protected]> > > tag_len is read as a u16 from the untrusted host. It could overflow > in the memory allocation, which would lead to a too small buffer. > > Some later loops use it when extended to 32bit, so they could overflow > the too small buffer. > > Make sure to do the arithmetic for the buffer size in 32bit to avoid > wrapping. > > Signed-off-by: Andi Kleen <[email protected]> > Signed-off-by: Alexander Shishkin <[email protected]> > Reviewed-by: Christian Schoenebeck <[email protected]> > Cc: Eric Van Hensbergen <[email protected]> > Cc: Latchesar Ionkov <[email protected]> > Cc: Dominique Martinet <[email protected]> > Cc: [email protected] > --- > net/9p/trans_virtio.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c > index 3c27ffb781e3..a78e4d80e5ba 100644 > --- a/net/9p/trans_virtio.c > +++ b/net/9p/trans_virtio.c > @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev) > err = -EINVAL; > goto out_free_vq; > } > - tag = kzalloc(tag_len + 1, GFP_KERNEL); > + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL); > if (!tag) { > err = -ENOMEM; > goto out_free_vq;
Hmm are you sure there's a difference in behaviour? I thought C will just extend the integer to int. > -- > 2.39.0 _______________________________________________ Virtualization mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/virtualization
