vduse: check that offset is within bounds in get_config()

Dan Carpenter · mstsirkin · commit dc1db0060c02 · 2021-12-08T14:53:15.000-05:00
This condition checks "len" but it does not check "offset" and that could result in an out of bounds read if "offset > dev->config_size". The problem is that since both variables are unsigned the "dev->config_size - offset" subtraction would result in a very high unsigned value. I think these checks might not be necessary because "len" and "offset" are supposed to already have been validated using the vhost_vdpa_config_validate() function. But I do not know the code perfectly, and I like to be safe. Fixes: c8a6153 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20211208150956.GA29160@kili Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Cc: stable@vger.kernel.org
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -655,7 +655,8 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset,
 {
 	struct vduse_dev *dev = vdpa_to_vduse(vdpa);
 
-	if (len > dev->config_size - offset)
+	if (offset > dev->config_size ||
+	    len > dev->config_size - offset)
 		return;
 
 	memcpy(buf, dev->config + offset, len);

Original file line number	Diff line number	Diff line change
`@@ -655,7 +655,8 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset,`
`655`	`655`	`{`
`656`	`656`	`struct vduse_dev *dev = vdpa_to_vduse(vdpa);`
`657`	`657`
`658`		`- if (len > dev->config_size - offset)`
	`658`	`+ if (offset > dev->config_size \|\|`
	`659`	`+ len > dev->config_size - offset)`
`659`	`660`	`return;`
`660`	`661`
`661`	`662`	`memcpy(buf, dev->config + offset, len);`