Please sign in to comment.
core: add overflow check in mobj_reg_shm_alloc()
In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory would be a small memory block, while num_pages would be large, which could lead to a generous memcpy() when copying the pages in internal memory, the outcome of this depends on memory mapping. Note: no attack path are identified to exploit this overflow, however it is error prone and could lead to a future vulnerability. This commit replaces the MOBJ_REG_SHM_SIZE() macro with a static function that performs the same computation, but returns 0 in case of integer overflow. The call site is updated to return an error status should this situation happen. Signed-off-by: Jerome Forissier <firstname.lastname@example.org> Reported-by: Bastien Simondi <email@example.com> [2.3] Reviewed-by: Jens Wiklander <firstname.lastname@example.org> Reviewed-by: Joakim Bech <email@example.com>
- Loading branch information...