From: Greg KH <gregkh@linuxfoundation.org>
To: Rion Kiguchi <kiguchi.r.sec@gmail.com>
Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4] staging: vme_user: validate slave window size against buffer size
Date: Thu, 21 May 2026 11:20:14 +0200 [thread overview]
Message-ID: <2026052104-venture-batboy-54d2@gregkh> (raw)
In-Reply-To: <20260514034511.4244-1-kiguchi.r.sec@gmail.com>
On Thu, May 14, 2026 at 12:45:10PM +0900, Rion Kiguchi wrote:
> The VME_SET_SLAVE ioctl in drivers/staging/vme_user/vme_user.c accepts
> a user-controlled slave.size and forwards it to vme_slave_set() without
> comparing it against image[minor].size_buf. The slave-image kernel
> buffer is allocated at probe time with a fixed size of PCI_BUF_SIZE
> (0x20000 / 128 KiB), but the configured VME window size can be made
> much larger via the ioctl.
>
> Additionally, a slave.size of 0 is permitted, which causes vme_get_size()
> to return 0. In vme_user_read() and vme_user_write(), the boundary check
> (*ppos > image_size - 1) suffers from an integer underflow because
> image_size is size_t. This bypasses the bounds check entirely, allowing
> offsets beyond the actual allocation.
>
> Result: a local user with read/write access to /dev/bus/vme/s* can
> trigger out-of-bounds read and write of the kernel slab adjacent to
> the slave-image buffer.
>
> Fix: reject slave.size == 0 and slave.size > size_buf in the VME_SET_SLAVE
> handler. With this check in place, the existing bounds checks in
> vme_user_read() / vme_user_write() against vme_get_size() are
> sufficient to prevent OOB access.
>
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Rion Kiguchi <kiguchi.r.sec@gmail.com>
> ---
> Changes in v4:
> - Add check for slave.size == 0 to prevent integer underflow in bounds check.
> - Remove trailing whitespaces inadvertently added in previous versions.
> - Remove Fixes and Cc: stable tags to resolve checkpatch warnings based on maintainer feedback.
Please see the review comments:
https://sashiko.dev/#/patchset/20260514034511.4244-1-kiguchi.r.sec@gmail.com
prev parent reply other threads:[~2026-05-21 9:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2026050935-designing-glancing-2e16@gregkh>
2026-05-09 9:26 ` [PATCH v3] staging: vme_user: validate slave window size against buffer size Rion Kiguchi
2026-05-09 9:58 ` Greg Kroah-Hartman
2026-05-14 3:45 ` [PATCH v4] " Rion Kiguchi
2026-05-21 9:20 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026052104-venture-batboy-54d2@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=kiguchi.r.sec@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox