| commit | 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 | |
| author | Li Qiang <liqiang6-s@360.cn> | |
| Tue, 1 Nov 2016 11:00:40 +0000 (1 12:00 +0100) | ||
| committer | Greg Kurz <groug@kaod.org> | |
| Tue, 1 Nov 2016 11:03:01 +0000 (1 12:03 +0100) | ||
| tree | 308e1f069dee27eaf7f7e7c101ecce607c0da1c4 | treesnapshot (tar.gz zip) |
| parent | 8495f9ad26d398f01e208a53f1a5152483a16084 | commitdiff |
9pfs: fix integer overflow issue in xattr read/write
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
originated offset: they must ensure this offset does not go beyond
the size of the extended attribute that was set in v9fs_xattrcreate().
Unfortunately, the current code implement these checks with unsafe
calculations on 32 and 64 bit values, which may allow a malicious
guest to cause OOB access anyway.
Fix this by comparing the offset and the xattr size, which are
both uint64_t, before trying to compute the effective number of bytes
to read or write.
Suggested-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
originated offset: they must ensure this offset does not go beyond
the size of the extended attribute that was set in v9fs_xattrcreate().
Unfortunately, the current code implement these checks with unsafe
calculations on 32 and 64 bit values, which may allow a malicious
guest to cause OOB access anyway.
Fix this by comparing the offset and the xattr size, which are
both uint64_t, before trying to compute the effective number of bytes
to read or write.
Suggested-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
| hw/9pfs/9p.c | diffblobblamehistory |