Commit 3287794d authored by Alex Williamson's avatar Alex Williamson Committed by Wen Zhiwei
Browse files

vfio/platform: check the bounds of read/write syscalls 

stable inclusion
from stable-v6.6.75
commit c981c32c38af80737a2fedc16e270546d139ccdd
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBSPQB

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c981c32c38af80737a2fedc16e270546d139ccdd



--------------------------------

commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.

count and offset are passed from user space and not checked, only
offset is capped to 40 bits, which can be used to read/write out of
bounds of the device.

Fixes: 6e3f2645 (“vfio/platform: read and write support for the device fd”)
Cc: stable@vger.kernel.org
Reported-by: default avatarMostafa Saleh <smostafa@google.com>
Reviewed-by: default avatarEric Auger <eric.auger@redhat.com>
Reviewed-by: default avatarMostafa Saleh <smostafa@google.com>
Tested-by: default avatarMostafa Saleh <smostafa@google.com>
Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarWen Zhiwei <wenzhiwei@kylinos.cn>
parent 2465b398

drivers/vfio/platform/vfio_platform_common.c

+10 −0
Original line number Diff line number Diff line
@@ -388,6 +388,11 @@ static ssize_t vfio_platform_read_mmio(struct vfio_platform_region *reg, 
{

	unsigned int done = 0;



	if (off >= reg->size)

		return -EINVAL;



	count = min_t(size_t, count, reg->size - off);



	if (!reg->ioaddr) {

		reg->ioaddr =

			ioremap(reg->addr, reg->size);
@@ -467,6 +472,11 @@ static ssize_t vfio_platform_write_mmio(struct vfio_platform_region *reg, 
{

	unsigned int done = 0;



	if (off >= reg->size)

		return -EINVAL;



	count = min_t(size_t, count, reg->size - off);



	if (!reg->ioaddr) {

		reg->ioaddr =

			ioremap(reg->addr, reg->size);