A flaw was found in the Linux kernels freescale hypervisor manager implementation. A parameter passed via to an ioctl was incorrectly validated and used in size calculations for page size calculation, The "param.count" value is a u64 from the user. The code later assumes that param.count is at least one, leading to ZERO_SIZE_PTR dereference in case it is not. Also the addition can have an integer overflow which leads to allocating fewer "pages" array than required. Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a024330650e24556b8a18cc654ad00cfecf6c6c
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1711195]
kernel-5.0.17-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgments: Name: Murray McAllister