From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 1 Sep 2022 15:35:20 +0000 (+0300)
Subject: xen/grants: prevent integer overflow in gnttab_dma_alloc_pages()
X-Git-Tag: Proxmox-5.15.83-1~2214
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=f12c2f5bdd9761aa8fd799da9f99f441a7f15ddd;p=mirror_ubuntu-jammy-kernel.git

xen/grants: prevent integer overflow in gnttab_dma_alloc_pages()

BugLink: https://bugs.launchpad.net/bugs/1991840

[ Upstream commit e9ea0b30ada008f4e65933f449db6894832cb242 ]

The change from kcalloc() to kvmalloc() means that arg->nr_pages
might now be large enough that the "args->nr_pages << PAGE_SHIFT" can
result in an integer overflow.

Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/YxDROJqu/RPvR0bi@kili
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 5c83d41766c8..0a2d24d6ac6f 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -981,6 +981,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args *args)
 	size_t size;
 	int i, ret;
 
+	if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT))
+		return -ENOMEM;
+
 	size = args->nr_pages << PAGE_SHIFT;
 	if (args->coherent)
 		args->vaddr = dma_alloc_coherent(args->dev, size,