vfio/platform: check the bounds of read/write syscalls

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

count and offset are passed from user space and not checked, only
offset is capped to 40 bits, which can be used to read/write out of
bounds of the device.

Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
Cc: stable@vger.kernel.org
Reported-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Mostafa Saleh <smostafa@google.com>
Tested-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

Alex Williamson 1 year ago ce9ff21e e021e6cb

+10

1 changed file

expand all

drivers

vfio

platform

vfio_platform_common.c

+10

drivers/vfio/platform/vfio_platform_common.c

··· 388 388 { 389 389 unsigned int done = 0; 390 390 391 + if (off >= reg->size) 392 + return -EINVAL; 393 + 394 + count = min_t(size_t, count, reg->size - off); 395 + 391 396 if (!reg->ioaddr) { 392 397 reg->ioaddr = 393 398 ioremap(reg->addr, reg->size); ··· 471 466 loff_t off) 472 467 { 473 468 unsigned int done = 0; 469 + 470 + if (off >= reg->size) 471 + return -EINVAL; 472 + 473 + count = min_t(size_t, count, reg->size - off); 474 474 475 475 if (!reg->ioaddr) { 476 476 reg->ioaddr =