Commit ec1287e5 authored by Alex Williamson's avatar Alex Williamson

vfio-pci: Fix buffer overfill

A read from a range hidden from the user (ex. MSI-X vector table)
attempts to fill the user buffer up to the end of the excluded range
instead of up to the requested count.  Fix it.
Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Cc: stable@vger.kernel.org
parent 406089d0
......@@ -240,17 +240,17 @@ ssize_t vfio_pci_mem_readwrite(struct vfio_pci_device *vdev, char __user *buf,
filled = 1;
} else {
/* Drop writes, fill reads with FF */
filled = min((size_t)(x_end - pos), count);
if (!iswrite) {
char val = 0xFF;
size_t i;
for (i = 0; i < x_end - pos; i++) {
for (i = 0; i < filled; i++) {
if (put_user(val, buf + i))
goto out;
}
}
filled = x_end - pos;
}
count -= filled;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment