From: Alex Williamson Date: Tue, 15 Jan 2013 17:45:26 +0000 (-0700) Subject: vfio-pci: Fix buffer overfill X-Git-Tag: firefly_0821_release~3680^2~1224^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ec1287e511320a2c9a02640b7ac02d5d79f56f08;p=firefly-linux-kernel-4.4.55.git vfio-pci: Fix buffer overfill A read from a range hidden from the user (ex. MSI-X vector table) attempts to fill the user buffer up to the end of the excluded range instead of up to the requested count. Fix it. Signed-off-by: Alex Williamson Cc: stable@vger.kernel.org --- diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c index 4362d9e7baa3..f72323ef618f 100644 --- a/drivers/vfio/pci/vfio_pci_rdwr.c +++ b/drivers/vfio/pci/vfio_pci_rdwr.c @@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf, filled = 1; } else { /* Drop writes, fill reads with FF */ + filled = min((size_t)(x_end - pos), count); if (!iswrite) { char val = 0xFF; size_t i; - for (i = 0; i < x_end - pos; i++) { + for (i = 0; i < filled; i++) { if (put_user(val, buf + i)) goto out; } } - filled = x_end - pos; } count -= filled;