Re: [PATCH] staging: axis-fifo: fix integer overflow in write()

[Greg KH <gregkh@linuxfoundation.org>]

On Tue, Oct 07, 2025 at 02:18:47PM +0200, Greg KH wrote:
> On Tue, Oct 07, 2025 at 03:58:13PM +0400, Murad Sadigov wrote:
> > Fix integer overflow in axis_fifo_write() that allows local users
> > to bypass buffer validation, potentially causing hardware FIFO
> > buffer overflow and system denial of service.
> > 
> > The axis_fifo_write() function converts user-controlled size_t 'len'
> > (64-bit) to unsigned int 'words_to_write' (32-bit) without overflow
> > checking at line 322:
> > 
> >     words_to_write = len / sizeof(u32);
> > 
> > On 64-bit systems, when len equals 0x400000000 (16 GiB):
> >   - Division: 0x400000000 / 4 = 0x100000000 (requires 33 bits)
> >   - Truncation: Result stored in 32-bit variable = 0 (overflow)
> >   - Validation bypass: if (0 > fifo_depth) evaluates to false
> >   - Impact: Hardware FIFO overflow, system crash
> > 
> > This allows unprivileged local users with access to /dev/axis_fifo*
> > to trigger denial of service.
> > 
> > The fix adds overflow check before type conversion to ensure len
> > does not exceed the maximum safe value (UINT_MAX * sizeof(u32)).
> > 
> > Affected systems include embedded devices using Xilinx FPGA with
> > AXI-Stream FIFO IP cores.
> > 
> > Signed-off-by: Murad Sadigov <sdgvmrd@gmail.com>
> > ---
> >  drivers/staging/axis-fifo/axis-fifo.c | 7 +++++++
> >  1 file changed, 7 insertions(+)
> > 
> > diff --git a/drivers/staging/axis-fifo/axis-fifo.c
> > b/drivers/staging/axis-fifo/axis-fifo.c
> > index 1234567890ab..abcdef123456 100644
> > --- a/drivers/staging/axis-fifo/axis-fifo.c
> > +++ b/drivers/staging/axis-fifo/axis-fifo.c
> > @@ -319,6 +319,13 @@ static ssize_t axis_fifo_write(struct file *f,
> > const char __user *buf,
> >   return -EINVAL;
> >   }
> > 
> > + /* Prevent integer overflow in words calculation */
> > + if (len > (size_t)UINT_MAX * sizeof(u32)) {
> > + dev_err(fifo->dt_device,
> > + "write length %zu exceeds maximum %zu bytes\n",
> > + len, (size_t)UINT_MAX * sizeof(u32));
> > + return -EINVAL;
> > + }
> > +
> 
> Something went wrong here, your email client dropped all of the leading
> spaces :(
> 
> Also, you do not want to allow userspace to cause a DoS on the kernel
> log, so don't log this information, just return an error, no need to
> print anything.

Also, look at this function in the linux-next branch.  It has been
rewritten and I think will not fail in the same way you are thinking it
will fail here.  I'll get those changes to Linus by the end of this
week, sorry for not noticing they were not flushed out to his tree yet.

thanks,

greg k-h