git.ipfire.org Git - people/ms/linux.git/commit

author	Sudeep Dutt <sudeep.dutt@intel.com>
	Mon, 3 Feb 2014 22:53:19 +0000 (14:53 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 22 Feb 2014 21:34:57 +0000 (13:34 -0800)
commit	ea751ea7a0fef5e60ac9a876d383983b827fd05d
tree	f0080e0b67b5e2240676f1248ef65e9525aca1a2	tree
parent	2ae24ea8ea78574ba0af8e21f8b7584023397bef	commit \| diff

misc: mic: fix possible signed underflow (undefined behavior) in userspace API

commit 3b1cc9b9622a022208ec95b1259b05bbdf712eb7 upstream.

iovcnt is declared as a signed integer in both the userspace API and
as a local variable in mic_virtio.c. The while() loop in mic_virtio.c
iterates until the local variable iovcnt reaches the value 0. If
userspace passes e.g. INT_MIN as iovcnt field, this loop then appears
to depend on an undefined behavior (signed underflow) to complete.
The fix is to use unsigned integers in both the userspace API and
the local variable.

This issue was reported @ https://lkml.org/lkml/2014/1/10/10

Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Sudeep Dutt <sudeep.dutt@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/misc/mic/host/mic_virtio.c		diff \| blob \| blame \| history
include/uapi/linux/mic_ioctl.h		diff \| blob \| blame \| history