misc: mic: fix possible signed underflow (undefined behavior) in userspace API

iovcnt is declared as a signed integer in both the userspace API and as a local variable in mic_virtio.c. The while() loop in mic_virtio.c iterates until the local variable iovcnt reaches the value 0. If userspace passes e.g. INT_MIN as iovcnt field, this loop then appears to depend on an undefined behavior (signed underflow) to complete. The fix is to use unsigned integers in both the userspace API and the local variable. This issue was reported @ https://lkml.org/lkml/2014/1/10/10 Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Signed-off-by: Sudeep Dutt <sudeep.dutt@intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Sudeep Dutt <sudeep.dutt@intel.com> 2014-02-03 22:53:19 (GMT)
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-07 23:30:34 (GMT)
commit: 3b1cc9b9622a022208ec95b1259b05bbdf712eb7 (patch)
tree: c80a0f6b893b3bb48b70b23c13f5258ba06a8d82 /include
parent: 01ab1167cd2d861d20195eda08505652c536df97 (diff)
download: linux-3b1cc9b9622a022208ec95b1259b05bbdf712eb7.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/include/uapi/linux/mic_ioctl.h b/include/uapi/linux/mic_ioctl.h
index 7fabba5..feb0b4c 100644
--- a/include/uapi/linux/mic_ioctl.h
+++ b/include/uapi/linux/mic_ioctl.h
@@ -39,7 +39,7 @@ struct mic_copy_desc {
 #else
 	struct iovec *iov;
 #endif
-	int iovcnt;
+	__u32 iovcnt;
 	__u8 vr_idx;
 	__u8 update_used;
 	__u32 out_len;
author	Sudeep Dutt <sudeep.dutt@intel.com>	2014-02-03 22:53:19 (GMT)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-02-07 23:30:34 (GMT)
commit	3b1cc9b9622a022208ec95b1259b05bbdf712eb7 (patch)
tree	c80a0f6b893b3bb48b70b23c13f5258ba06a8d82 /include
parent	01ab1167cd2d861d20195eda08505652c536df97 (diff)
download	linux-3b1cc9b9622a022208ec95b1259b05bbdf712eb7.tar.xz