A flaw was found in the Linux kernels freescale hypervisor manager implementation. A parameter passed via to an ioctl was incorrectly validated and used in size calculations for page size calculation,
The "param.count" value is a u64 from the user. The code later assumes that param.count is at least one, leading to ZERO_SIZE_PTR dereference in case it is not. Also the addition can have an integer overflow which leads to allocating fewer "pages" array than required.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1711195]
kernel-5.0.17-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Name: Murray McAllister