31861f83bf
commit 1c2eb5b2853c9f513690ba6b71072d8eb65da16a upstream. The VMCI handle array has an integer overflow in vmci_handle_arr_append_entry when it tries to expand the array. This can be triggered from a guest, since the doorbell link hypercall doesn't impose a limit on the number of doorbell handles that a VM can create in the hypervisor, and these handles are stored in a handle array. In this change, we introduce a mandatory max capacity for handle arrays/lists to avoid excessive memory usage. Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Reviewed-by: Adit Ranadive <aditr@vmware.com> Reviewed-by: Jorgen Hansen <jhansen@vmware.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| altera-stapl | ||
| c2port | ||
| cb710 | ||
| cxl | ||
| echo | ||
| eeprom | ||
| genwqe | ||
| ibmasm | ||
| lis3lv02d | ||
| mei | ||
| mic | ||
| sgi-gru | ||
| sgi-xp | ||
| ti-st | ||
| vmw_vmci | ||
| ad525x_dpot-i2c.c | ||
| ad525x_dpot-spi.c | ||
| ad525x_dpot.c | ||
| ad525x_dpot.h | ||
| apds990x.c | ||
| apds9802als.c | ||
| arm-charlcd.c | ||
| atmel-ssc.c | ||
| atmel_tclib.c | ||
| bh1770glc.c | ||
| bh1780gli.c | ||
| bmp085-i2c.c | ||
| bmp085-spi.c | ||
| bmp085.c | ||
| bmp085.h | ||
| cs5535-mfgpt.c | ||
| ds1682.c | ||
| dummy-irq.c | ||
| enclosure.c | ||
| fsa9480.c | ||
| hmc6352.c | ||
| hpilo.c | ||
| hpilo.h | ||
| ics932s401.c | ||
| ioc4.c | ||
| isl29003.c | ||
| isl29020.c | ||
| Kconfig | ||
| kgdbts.c | ||
| lattice-ecp3-config.c | ||
| lkdtm.c | ||
| Makefile | ||
| pch_phub.c | ||
| phantom.c | ||
| pti.c | ||
| qcom-coincell.c | ||
| spear13xx_pcie_gadget.c | ||
| sram.c | ||
| ti_dac7512.c | ||
| tifm_7xx1.c | ||
| tifm_core.c | ||
| tsl2550.c | ||
| vexpress-syscfg.c | ||
| vmw_balloon.c | ||