Re: [PATCH] arm64: kvm: Fix potential overflow in len

From: Oliver Upton
Date: Sat Dec 28 2024 - 02:09:21 EST

Next message: Tanya Agarwal: "[PATCH] ALSA: usb-audio: US16x08: Initialize array before use"
Previous message: kernel test robot: "drivers/nvme/target/nvmet.o: warning: objtool: .text.nvmet_ctrl_state_show: unexpected end of section"
In reply to: Steven Davis: "[PATCH] arm64: kvm: Fix potential overflow in len"
Next in thread: Marc Zyngier: "Re: [PATCH] arm64: kvm: Fix potential overflow in len"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Dec 28, 2024 at 02:01:27AM +0000, Steven Davis wrote:
> The MMIO sign-extension logic in kvm_handle_mmio_return can
> trigger an integer overflow or undefined behavior when len
> is invalid (e.g., len == 0 or len exceeds the size of unsigned
> long). Specifically, the expression (len * 8) - 1 may result
> in an out-of-bounds shift in the computation of the mask.

I don't believe we need this. len is known to be nonzero and at most 8,
which is already being tested for in the existing condition. See the
definition of kvm_vcpu_dabt_get_as() if you're curious why that is.

--
Thanks,
Oliver

Next message: Tanya Agarwal: "[PATCH] ALSA: usb-audio: US16x08: Initialize array before use"
Previous message: kernel test robot: "drivers/nvme/target/nvmet.o: warning: objtool: .text.nvmet_ctrl_state_show: unexpected end of section"
In reply to: Steven Davis: "[PATCH] arm64: kvm: Fix potential overflow in len"
Next in thread: Marc Zyngier: "Re: [PATCH] arm64: kvm: Fix potential overflow in len"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]