mirror of https://gitee.com/openkylin/linux.git
1c2eb5b285
The VMCI handle array has an integer overflow in vmci_handle_arr_append_entry when it tries to expand the array. This can be triggered from a guest, since the doorbell link hypercall doesn't impose a limit on the number of doorbell handles that a VM can create in the hypervisor, and these handles are stored in a handle array. In this change, we introduce a mandatory max capacity for handle arrays/lists to avoid excessive memory usage. Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Reviewed-by: Adit Ranadive <aditr@vmware.com> Reviewed-by: Jorgen Hansen <jhansen@vmware.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
vmci_context.c | ||
vmci_context.h | ||
vmci_datagram.c | ||
vmci_datagram.h | ||
vmci_doorbell.c | ||
vmci_doorbell.h | ||
vmci_driver.c | ||
vmci_driver.h | ||
vmci_event.c | ||
vmci_event.h | ||
vmci_guest.c | ||
vmci_handle_array.c | ||
vmci_handle_array.h | ||
vmci_host.c | ||
vmci_queue_pair.c | ||
vmci_queue_pair.h | ||
vmci_resource.c | ||
vmci_resource.h | ||
vmci_route.c | ||
vmci_route.h |