summaryrefslogtreecommitdiff
path: root/Documentation
diff options
context:
space:
mode:
authorAlex Williamson <alex.williamson@redhat.com>2016-08-08 16:16:23 -0600
committerAlex Williamson <alex.williamson@redhat.com>2016-08-08 16:16:23 -0600
commitc8952a707556e04374d7b2fdb3a079d63ddf6f2f (patch)
tree717b624ef26f12279e3846e779cb1da323f8d472 /Documentation
parent29b4817d4018df78086157ea3a55c1d9424a7cfc (diff)
vfio/pci: Fix NULL pointer oops in error interrupt setup handling
There are multiple cases in vfio_pci_set_ctx_trigger_single() where we assume we can safely read from our data pointer without actually checking whether the user has passed any data via the count field. VFIO_IRQ_SET_DATA_NONE in particular is entirely broken since we attempt to pull an int32_t file descriptor out before even checking the data type. The other data types assume the data pointer contains one element of their type as well. In part this is good news because we were previously restricted from doing much sanitization of parameters because it was missed in the past and we didn't want to break existing users. Clearly DATA_NONE is completely broken, so it must not have any users and we can fix it up completely. For DATA_BOOL and DATA_EVENTFD, we'll just protect ourselves, returning error when count is zero since we previously would have oopsed. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Reported-by: Chris Thompson <the_cartographer@hotmail.com> Cc: stable@vger.kernel.org Reviewed-by: Eric Auger <eric.auger@redhat.com>
Diffstat (limited to 'Documentation')
0 files changed, 0 insertions, 0 deletions