MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-23 07:23:12 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

vfio/platform: check the bounds of read/write syscalls

Browse Source 
count and offset are passed from user space and not checked, only
offset is capped to 40 bits, which can be used to read/write out of
bounds of the device.

Fixes: 6e3f264560 (“vfio/platform: read and write support for the device fd”)
Cc: stable@vger.kernel.org
Reported-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Mostafa Saleh <smostafa@google.com>
Tested-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
This commit is contained in:
Alex Williamson 2025-01-22 10:38:30 -07:00
parent e021e6cbfb
commit ce9ff21ea8
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/vfio/platform/vfio_platform_common.c
View File

@ -388,6 +388,11 @@ static ssize_t vfio_platform_read_mmio(struct vfio_platform_region *reg,
{ {
unsigned int done = 0; unsigned int done = 0;
if (off >= reg->size)
return -EINVAL;
count = min_t(size_t, count, reg->size - off);
if (!reg->ioaddr) { if (!reg->ioaddr) {
reg->ioaddr = reg->ioaddr =
ioremap(reg->addr, reg->size); ioremap(reg->addr, reg->size);
@ -467,6 +472,11 @@ static ssize_t vfio_platform_write_mmio(struct vfio_platform_region *reg,
{ {
unsigned int done = 0; unsigned int done = 0;
if (off >= reg->size)
return -EINVAL;
count = min_t(size_t, count, reg->size - off);
if (!reg->ioaddr) { if (!reg->ioaddr) {
reg->ioaddr = reg->ioaddr =
ioremap(reg->addr, reg->size); ioremap(reg->addr, reg->size);