diff options
author | Alex Williamson <alex.williamson@redhat.com> | 2013-01-15 10:45:26 -0700 |
---|---|---|
committer | Alex Williamson <alex.williamson@redhat.com> | 2013-01-15 10:45:26 -0700 |
commit | ec1287e511320a2c9a02640b7ac02d5d79f56f08 (patch) | |
tree | 80cb8ec5f4990a80b61a5b6707fd09d808ca64fd /drivers/vfio/pci | |
parent | 406089d01562f1e2bf9f089fd7637009ebaad589 (diff) |
vfio-pci: Fix buffer overfill
A read from a range hidden from the user (ex. MSI-X vector table)
attempts to fill the user buffer up to the end of the excluded range
instead of up to the requested count. Fix it.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: stable@vger.kernel.org
Diffstat (limited to 'drivers/vfio/pci')
-rw-r--r-- | drivers/vfio/pci/vfio_pci_rdwr.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c index 4362d9e7baa..f72323ef618 100644 --- a/drivers/vfio/pci/vfio_pci_rdwr.c +++ b/drivers/vfio/pci/vfio_pci_rdwr.c @@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf, filled = 1; } else { /* Drop writes, fill reads with FF */ + filled = min((size_t)(x_end - pos), count); if (!iswrite) { char val = 0xFF; size_t i; - for (i = 0; i < x_end - pos; i++) { + for (i = 0; i < filled; i++) { if (put_user(val, buf + i)) goto out; } } - filled = x_end - pos; } count -= filled; |