Patch "remoteproc: Harden rproc_handle_vdev() against integer overflow" has been added to the 6.0-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    remoteproc: Harden rproc_handle_vdev() against integer overflow

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     remoteproc-harden-rproc_handle_vdev-against-integer-.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6b046c340977a92d1b58ca290047861d8d1f38b7
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Thu Sep 15 17:11:44 2022 +0300

    remoteproc: Harden rproc_handle_vdev() against integer overflow
    
    [ Upstream commit 7d7f8fe4e399519cc9ac68a475fec6d3a996341b ]
    
    The struct_size() macro protects against integer overflows but adding
    "+ rsc->config_len" introduces the risk of integer overflows again.
    Use size_add() to be safe.
    
    Fixes: c87846571587 ("remoteproc: use struct_size() helper")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
    Reviewed-by: Mukesh Ojha <quic_mojha@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/YyMyoPoGOJUcEpZT@kili
    Signed-off-by: Mathieu Poirier <mathieu.poirier@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
index e5279ed9a8d7..4fc5ce2187ac 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -520,12 +520,13 @@ static int rproc_handle_vdev(struct rproc *rproc, void *ptr,
 	struct fw_rsc_vdev *rsc = ptr;
 	struct device *dev = &rproc->dev;
 	struct rproc_vdev *rvdev;
+	size_t rsc_size;
 	int i, ret;
 	char name[16];
 
 	/* make sure resource isn't truncated */
-	if (struct_size(rsc, vring, rsc->num_of_vrings) + rsc->config_len >
-			avail) {
+	rsc_size = struct_size(rsc, vring, rsc->num_of_vrings);
+	if (size_add(rsc_size, rsc->config_len) > avail) {
 		dev_err(dev, "vdev rsc is truncated\n");
 		return -EINVAL;
 	}
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux