virtio: balloon: fix integer overflow

Fix a potential integer overflow when computing the end of the
destination slice during a configuration write in
Balloon::write_config(). This bug leads to a panic when adding with
overflow or indexing the slice a few lines below, depending on the
build.

Fix this by using `usize::checked_add()` and `slice::get_mut()`.

Signed-off-by: Carlos López <[email protected]>

Author: 00xc

src/vmm/src/devices/virtio/balloon/device.rs

@@ -553,14 +553,18 @@ impl VirtioDevice for Balloon {
     }
 
     fn write_config(&mut self, offset: u64, data: &[u8]) {
-        let data_len = data.len() as u64;
         let config_space_bytes = self.config_space.as_mut_slice();
-        let config_len = config_space_bytes.len() as u64;
-        if offset + data_len > config_len {
+        let start = usize::try_from(offset).ok();
+        let end = start.and_then(|s| s.checked_add(data.len()));
+        let Some(dst) = start
+            .zip(end)
+            .and_then(|(start, end)| config_space_bytes.get_mut(start..end)) else
+        {
             error!("Failed to write config space");
             return;
-        }
-        config_space_bytes[offset as usize..(offset + data_len) as usize].copy_from_slice(data);
+        };
+
+        dst.copy_from_slice(data);
     }
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> ActivateResult {