From 899c16c26d104943ff72ab4dbf069fea9699ebe3 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Tue, 10 Mar 2015 07:27:43 +0100 Subject: [PATCH] driver: Improve input validation to make code scanners happier We trust the configuration files passed down to the driver already because they define the isolation set up by the hypervisor and can therefore screw up the system in various ways. Nevertheless, we can and should improve basic consistency checks of config fields that influences allocations and copy operations. This will detect some corruptions/inconsistencies earlier and also satisfies the Coverity scanner. Signed-off-by: Jan Kiszka --- driver/cell.c | 4 ++++ driver/main.c | 6 ++++-- driver/pci.c | 4 ++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/driver/cell.c b/driver/cell.c index c1721d1..07eb602 100644 --- a/driver/cell.c +++ b/driver/cell.c @@ -39,6 +39,10 @@ struct cell *jailhouse_cell_create(const struct jailhouse_cell_desc *cell_desc) struct cell *cell; int err; + if (cell_desc->num_memory_regions >= + ULONG_MAX / sizeof(struct jailhouse_memory)) + return ERR_PTR(-EINVAL); + cell = kzalloc(sizeof(*cell), GFP_KERNEL); if (!cell) return ERR_PTR(-ENOMEM); diff --git a/driver/main.c b/driver/main.c index 4721db7..f3a08f3 100644 --- a/driver/main.c +++ b/driver/main.c @@ -217,13 +217,15 @@ static int jailhouse_cmd_enable(struct jailhouse_system __user *arg) err = -EINVAL; if (memcmp(header->signature, JAILHOUSE_SIGNATURE, - sizeof(header->signature)) != 0) + sizeof(header->signature)) != 0 || + hypervisor->size >= hv_mem->size) goto error_release_fw; hv_core_and_percpu_size = PAGE_ALIGN(header->core_size) + max_cpus * header->percpu_size; config_size = jailhouse_system_config_size(&config_header); - if (hv_mem->size <= hv_core_and_percpu_size + config_size) + if (hv_core_and_percpu_size >= hv_mem->size || + config_size >= hv_mem->size - hv_core_and_percpu_size) goto error_release_fw; hypervisor_mem = jailhouse_ioremap(hv_mem->phys_start, JAILHOUSE_BASE, diff --git a/driver/pci.c b/driver/pci.c index 24ac2c0..8d9e527 100644 --- a/driver/pci.c +++ b/driver/pci.c @@ -66,6 +66,10 @@ int jailhouse_pci_cell_setup(struct cell *cell, /* cell is zero-initialized, no need to set pci fields */ return 0; + if (cell_desc->num_pci_devices >= + ULONG_MAX / sizeof(struct jailhouse_pci_device)) + return -EINVAL; + cell->num_pci_devices = cell_desc->num_pci_devices; cell->pci_devices = vmalloc(sizeof(struct jailhouse_pci_device) * cell->num_pci_devices); -- 2.39.2