External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2025-02-01 17:35:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

virtio-devices: mem: Handle integer overflow properly

Browse Source 
An integer overflow from our virtio-mem device can be triggered
from (misbehaved) guest driver with malicious requests. This patch
handles this integer overflow explicitly and treats it as an invalid
request.

Note: this bug was detected by our virtio-mem fuzzer through 'oss-fuzz'.

Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen 2022-11-03 16:59:42 -07:00 committed by Rob Bradford
parent ef8fb9bd25
commit b37e2ed378
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
virtio-devices/src/mem.rs
View File

@ -260,6 +260,12 @@ impl VirtioMemConfig {
} }
fn is_valid_range(&self, addr: u64, size: u64) -> bool { fn is_valid_range(&self, addr: u64, size: u64) -> bool {
// Ensure no overflow from adding 'addr' and 'size' whose value are both
// controlled by the guest driver
if addr.checked_add(size).is_none() {
return false;
}
// Start address must be aligned on block_size, the size must be // Start address must be aligned on block_size, the size must be
// greater than 0, and all blocks covered by the request must be // greater than 0, and all blocks covered by the request must be
// in the usable region. // in the usable region.