vhost: check overflow before mmap

If memory_size + mmap_offset overflows then the memory region is bogus.
Do not use the overflowed mmap_size value for mmap().

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 7a8670c..8ec51c9 100644 (file)
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -730,7 +730,17 @@ vhost_user_set_mem_table(struct virtio_net *dev, struct VhostUserMsg *pmsg)
                reg->fd              = fd;
 
                mmap_offset = memory.regions[i].mmap_offset;
-               mmap_size   = reg->size + mmap_offset;
+
+               /* Check for memory_size + mmap_offset overflow */
+               if (mmap_offset >= -reg->size) {
+                       RTE_LOG(ERR, VHOST_CONFIG,
+                               "mmap_offset (%#"PRIx64") and memory_size "
+                               "(%#"PRIx64") overflow\n",
+                               mmap_offset, reg->size);
+                       goto err_mmap;
+               }
+
+               mmap_size = reg->size + mmap_offset;
 
                /* mmap() without flag of MAP_ANONYMOUS, should be called
                 * with length argument aligned with hugepagesz at older