Commit 5fc74f7a authored Mar 21, 2025 by Alex Williamson Committed by Tong Tiangen Mar 21, 2025

vfio/platform: check the bounds of read/write syscalls

stable inclusion
from stable-v5.10.234
commit d19a8650fd3d7aed8d1af1d9a77f979a8430eba1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBLDIK
CVE: CVE-2025-21687

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d19a8650fd3d7aed8d1af1d9a77f979a8430eba1



------------------

commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.

count and offset are passed from user space and not checked, only
offset is capped to 40 bits, which can be used to read/write out of
bounds of the device.

Fixes: 6e3f2645 (“vfio/platform: read and write support for the device fd”)
Cc: stable@vger.kernel.org
Reported-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Mostafa Saleh <smostafa@google.com>
Tested-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Conflicts:
	drivers/vfio/platform/vfio_platform_common.c
[context conflict]
Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>

parent d54ba3f5

drivers/vfio/platform/vfio_platform_common.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -413,6 +413,11 @@ static ssize_t vfio_platform_read_mmio(struct vfio_platform_region *reg,
		{
		unsigned int done = 0;

		if (off >= reg->size)
		return -EINVAL;

		count = min_t(size_t, count, reg->size - off);

		if (!reg->ioaddr) {
		reg->ioaddr =
		ioremap_nocache(reg->addr, reg->size);
		@@ -490,6 +495,11 @@ static ssize_t vfio_platform_write_mmio(struct vfio_platform_region *reg,
		{
		unsigned int done = 0;

		if (off >= reg->size)
		return -EINVAL;

		count = min_t(size_t, count, reg->size - off);

		if (!reg->ioaddr) {
		reg->ioaddr =
		ioremap_nocache(reg->addr, reg->size);