From b37e2ed3783f24bdf45fb415b90b6d6ca9fea703 Mon Sep 17 00:00:00 2001
From: Bo Chen <chen.bo@intel.com>
Date: Thu, 3 Nov 2022 16:59:42 -0700
Subject: [PATCH] virtio-devices: mem: Handle integer overflow properly

An integer overflow from our virtio-mem device can be triggered
from (misbehaved) guest driver with malicious requests. This patch
handles this integer overflow explicitly and treats it as an invalid
request.

Note: this bug was detected by our virtio-mem fuzzer through 'oss-fuzz'.

Signed-off-by: Bo Chen <chen.bo@intel.com>
---
 virtio-devices/src/mem.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/virtio-devices/src/mem.rs b/virtio-devices/src/mem.rs
index 96378e1ad..b8df227a0 100644
--- a/virtio-devices/src/mem.rs
+++ b/virtio-devices/src/mem.rs
@@ -260,6 +260,12 @@ impl VirtioMemConfig {
     }
 
     fn is_valid_range(&self, addr: u64, size: u64) -> bool {
+        // Ensure no overflow from adding 'addr' and 'size' whose value are both
+        // controlled by the guest driver
+        if addr.checked_add(size).is_none() {
+            return false;
+        }
+
         // Start address must be aligned on block_size, the size must be
         // greater than 0, and all blocks covered by the request must be
         // in the usable region.