vfio/iommu_type1: Use struct_size() for kzalloc()

GustavoARSilva · awilliam · commit 78b238147e4d · 2021-05-24T13:40:13.000-06:00
Make use of the struct_size() helper instead of an open-coded version,
in order to avoid any potential type mistakes or integer overflows
that, in the worst scenario, could lead to heap overflows.

This code was detected with the help of Coccinelle and, audited and
fixed manually.

Signed-off-by: Gustavo A. R. Silva &lt;gustavoars@kernel.org&gt;
Message-Id: &lt;20210513230155.GA217517@embeddedor&gt;
Signed-off-by: Alex Williamson &lt;alex.williamson@redhat.com&gt;
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
@@ -2795,7 +2795,7 @@ static int vfio_iommu_iova_build_caps(struct vfio_iommu *iommu,
 		return 0;
 	}
 
-	size = sizeof(*cap_iovas) + (iovas * sizeof(*cap_iovas->iova_ranges));
+	size = struct_size(cap_iovas, iova_ranges, iovas);
 
 	cap_iovas = kzalloc(size, GFP_KERNEL);
 	if (!cap_iovas)

Original file line number	Diff line number	Diff line change
`@@ -2795,7 +2795,7 @@ static int vfio_iommu_iova_build_caps(struct vfio_iommu *iommu,`
`2795`	`2795`	`return 0;`
`2796`	`2796`	`}`
`2797`	`2797`
`2798`		`- size = sizeof(cap_iovas) + (iovas sizeof(*cap_iovas->iova_ranges));`
	`2798`	`+ size = struct_size(cap_iovas, iova_ranges, iovas);`
`2799`	`2799`
`2800`	`2800`	`cap_iovas = kzalloc(size, GFP_KERNEL);`
`2801`	`2801`	`if (!cap_iovas)`