vfio/type1: Fix unmap overflow off-by-one
authorAlex Williamson <alex.williamson@redhat.com>
Tue, 8 Jan 2019 05:13:22 +0000 (22:13 -0700)
committerAlex Williamson <alex.williamson@redhat.com>
Tue, 8 Jan 2019 16:31:28 +0000 (09:31 -0700)
The below referenced commit adds a test for integer overflow, but in
doing so prevents the unmap ioctl from ever including the last page of
the address space.  Subtract one to compare to the last address of the
unmap to avoid the overflow and wrap-around.

Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
Cc: stable@vger.kernel.org # v4.15+
Reported-by: Pei Zhang <pezhang@redhat.com>
Debugged-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Tested-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
drivers/vfio/vfio_iommu_type1.c

index 7651cfb14836ab3d751b770797fd3c7e3b985bb2..73652e21efec6a28393bd979d2d42caef711b280 100644 (file)
@@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
                return -EINVAL;
        if (!unmap->size || unmap->size & mask)
                return -EINVAL;
-       if (unmap->iova + unmap->size < unmap->iova ||
+       if (unmap->iova + unmap->size - 1 < unmap->iova ||
            unmap->size > SIZE_MAX)
                return -EINVAL;