forked from Minki/linux
1c2eb5b285
The VMCI handle array has an integer overflow in vmci_handle_arr_append_entry when it tries to expand the array. This can be triggered from a guest, since the doorbell link hypercall doesn't impose a limit on the number of doorbell handles that a VM can create in the hypervisor, and these handles are stored in a handle array. In this change, we introduce a mandatory max capacity for handle arrays/lists to avoid excessive memory usage. Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Reviewed-by: Adit Ranadive <aditr@vmware.com> Reviewed-by: Jorgen Hansen <jhansen@vmware.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
54 lines
1.6 KiB
C
54 lines
1.6 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* VMware VMCI Driver
|
|
*
|
|
* Copyright (C) 2012 VMware, Inc. All rights reserved.
|
|
*/
|
|
|
|
#ifndef _VMCI_HANDLE_ARRAY_H_
|
|
#define _VMCI_HANDLE_ARRAY_H_
|
|
|
|
#include <linux/vmw_vmci_defs.h>
|
|
#include <linux/limits.h>
|
|
#include <linux/types.h>
|
|
|
|
struct vmci_handle_arr {
|
|
u32 capacity;
|
|
u32 max_capacity;
|
|
u32 size;
|
|
u32 pad;
|
|
struct vmci_handle entries[];
|
|
};
|
|
|
|
#define VMCI_HANDLE_ARRAY_HEADER_SIZE \
|
|
offsetof(struct vmci_handle_arr, entries)
|
|
/* Select a default capacity that results in a 64 byte sized array */
|
|
#define VMCI_HANDLE_ARRAY_DEFAULT_CAPACITY 6
|
|
/* Make sure that the max array size can be expressed by a u32 */
|
|
#define VMCI_HANDLE_ARRAY_MAX_CAPACITY \
|
|
((U32_MAX - VMCI_HANDLE_ARRAY_HEADER_SIZE - 1) / \
|
|
sizeof(struct vmci_handle))
|
|
|
|
struct vmci_handle_arr *vmci_handle_arr_create(u32 capacity, u32 max_capacity);
|
|
void vmci_handle_arr_destroy(struct vmci_handle_arr *array);
|
|
int vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr,
|
|
struct vmci_handle handle);
|
|
struct vmci_handle vmci_handle_arr_remove_entry(struct vmci_handle_arr *array,
|
|
struct vmci_handle
|
|
entry_handle);
|
|
struct vmci_handle vmci_handle_arr_remove_tail(struct vmci_handle_arr *array);
|
|
struct vmci_handle
|
|
vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, u32 index);
|
|
bool vmci_handle_arr_has_entry(const struct vmci_handle_arr *array,
|
|
struct vmci_handle entry_handle);
|
|
struct vmci_handle *vmci_handle_arr_get_handles(struct vmci_handle_arr *array);
|
|
|
|
static inline u32 vmci_handle_arr_get_size(
|
|
const struct vmci_handle_arr *array)
|
|
{
|
|
return array->size;
|
|
}
|
|
|
|
|
|
#endif /* _VMCI_HANDLE_ARRAY_H_ */
|