dect
/
linux-2.6
Archived
13
0
Fork 0
Code Releases Activity

vfio-pci: Fix buffer overfill 

A read from a range hidden from the user (ex. MSI-X vector table)
attempts to fill the user buffer up to the end of the excluded range
instead of up to the requested count.  Fix it.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: stable@vger.kernel.org
This commit is contained in:
Alex Williamson 2013-01-15 10:45:26 -07:00
parent 406089d015
commit ec1287e511
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/vfio/pci/vfio_pci_rdwr.c
View File

@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf,
filled = 1; filled = 1;
} else { } else {
/* Drop writes, fill reads with FF */ /* Drop writes, fill reads with FF */
filled = min((size_t)(x_end - pos), count);
if (!iswrite) { if (!iswrite) {
char val = 0xFF; char val = 0xFF;
size_t i; size_t i;
for (i = 0; i < x_end - pos; i++) { for (i = 0; i < filled; i++) {
if (put_user(val, buf + i)) if (put_user(val, buf + i))
goto out; goto out;
} }
} }
filled = x_end - pos;
} }
count -= filled; count -= filled;