git.baikalelectronics.ru Git - kernel.git/commit

author	Sudeep Dutt <sudeep.dutt@intel.com>
	Mon, 3 Feb 2014 22:53:19 +0000 (14:53 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 7 Feb 2014 23:30:34 +0000 (15:30 -0800)
commit	70073e4c8b3ead2321bd0a452ad904d20c812858
tree	c80a0f6b893b3bb48b70b23c13f5258ba06a8d82	tree \| snapshot
parent	d974e96c0a63a729118a9d3a654b335df713e73d	commit \| diff

misc: mic: fix possible signed underflow (undefined behavior) in userspace API

iovcnt is declared as a signed integer in both the userspace API and
as a local variable in mic_virtio.c. The while() loop in mic_virtio.c
iterates until the local variable iovcnt reaches the value 0. If
userspace passes e.g. INT_MIN as iovcnt field, this loop then appears
to depend on an undefined behavior (signed underflow) to complete.
The fix is to use unsigned integers in both the userspace API and
the local variable.

This issue was reported @ https://lkml.org/lkml/2014/1/10/10

Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Sudeep Dutt <sudeep.dutt@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/misc/mic/host/mic_virtio.c		diff \| blob \| history
include/uapi/linux/mic_ioctl.h		diff \| blob \| history