virtio-devices: mem: Handle integer overflow properly
An integer overflow from our virtio-mem device can be triggered from (misbehaved) guest driver with malicious requests. This patch handles this integer overflow explicitly and treats it as an invalid request. Note: this bug was detected by our virtio-mem fuzzer through 'oss-fuzz'. Signed-off-by: Bo Chen <chen.bo@intel.com>
This commit is contained in:
Bo Chen
Rob Bradford
parent
ef8fb9bd25
commit
b37e2ed378
1 changed files with 6 additions and 0 deletions
|
|
@ -260,6 +260,12 @@ impl VirtioMemConfig {
|
|||
}
|
||||
|
||||
fn is_valid_range(&self, addr: u64, size: u64) -> bool {
|
||||
// Ensure no overflow from adding 'addr' and 'size' whose value are both
|
||||
// controlled by the guest driver
|
||||
if addr.checked_add(size).is_none() {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Start address must be aligned on block_size, the size must be
|
||||
// greater than 0, and all blocks covered by the request must be
|
||||
// in the usable region.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue