diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-04-07 06:12:10 -1000 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-04-07 06:12:10 -1000 |
commit | 3b04689147085f5c8f47835d1c7e48203cba80d3 (patch) | |
tree | 09839161ab2316f923bb54f889687e9824629be7 | |
parent | 82331a70cc3c2901c4ae36ff88d5a28f6d14df32 (diff) | |
parent | 42d8644bd77dd2d747e004e367cb0c895a606f39 (diff) |
Merge tag 'for-linus-5.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen fixes from Juergen Gross:
"One minor fix and a small cleanup for the xen privcmd driver"
* tag 'for-linus-5.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen: Prevent buffer overflow in privcmd ioctl
xen: use struct_size() helper in kzalloc()
-rw-r--r-- | arch/x86/include/asm/xen/hypercall.h | 3 | ||||
-rw-r--r-- | drivers/xen/privcmd-buf.c | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h index de6f0d59a24f..2863c2026655 100644 --- a/arch/x86/include/asm/xen/hypercall.h +++ b/arch/x86/include/asm/xen/hypercall.h @@ -206,6 +206,9 @@ xen_single_call(unsigned int call, __HYPERCALL_DECLS; __HYPERCALL_5ARG(a1, a2, a3, a4, a5); + if (call >= PAGE_SIZE / sizeof(hypercall_page[0])) + return -EINVAL; + asm volatile(CALL_NOSPEC : __HYPERCALL_5PARAM : [thunk_target] "a" (&hypercall_page[call]) diff --git a/drivers/xen/privcmd-buf.c b/drivers/xen/privcmd-buf.c index de01a6d0059d..a1c61e351d3f 100644 --- a/drivers/xen/privcmd-buf.c +++ b/drivers/xen/privcmd-buf.c @@ -140,8 +140,7 @@ static int privcmd_buf_mmap(struct file *file, struct vm_area_struct *vma) if (!(vma->vm_flags & VM_SHARED)) return -EINVAL; - vma_priv = kzalloc(sizeof(*vma_priv) + count * sizeof(void *), - GFP_KERNEL); + vma_priv = kzalloc(struct_size(vma_priv, pages, count), GFP_KERNEL); if (!vma_priv) return -ENOMEM; |