* [PATCH] misc: ibmvmc: fix buffer overflow in ibmvmc_recv_msg()
@ 2025-12-18 14:43 Junrui Luo
2025-12-18 14:57 ` Greg Kroah-Hartman
0 siblings, 1 reply; 2+ messages in thread
From: Junrui Luo @ 2025-12-18 14:43 UTC (permalink / raw)
To: Brad Warrum, Ritu Agarwal, Arnd Bergmann, Greg Kroah-Hartman,
Adam Reznechek, Steven Royer, Bryant G. Ly, Randy Dunlap
Cc: linux-kernel, Yuhao Jiang, Junrui Luo
The ibmvmc_recv_msg() function receives a msg_len value from the
hypervisor and uses it directly in h_copy_rdma() without validating.
This can result a buffer overflow.
Add a check to ensure msg_len does not exceed buffer->size before
calling h_copy_rdma().
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 0eca353e7ae7 ("misc: IBM Virtual Management Channel Driver (VMC)")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
drivers/misc/ibmvmc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/misc/ibmvmc.c b/drivers/misc/ibmvmc.c
index e5f935b5249d..e583a73a3592 100644
--- a/drivers/misc/ibmvmc.c
+++ b/drivers/misc/ibmvmc.c
@@ -1654,6 +1654,12 @@ static int ibmvmc_recv_msg(struct crq_server_adapter *adapter,
}
/* RDMA the data into the partition. */
+ if (msg_len > buffer->size) {
+ dev_err(adapter->dev, "Recv_msg: msg_len 0x%x exceeds buffer size 0x%x\n",
+ (unsigned int)msg_len, (unsigned int)buffer->size);
+ spin_unlock_irqrestore(&hmc->lock, flags);
+ return -EINVAL;
+ }
rc = h_copy_rdma(msg_len,
adapter->riobn,
buffer->dma_addr_remote,
---
base-commit: ea1013c1539270e372fc99854bc6e4d94eaeff66
change-id: 20251218-fixes-1fa33e72a87f
Best regards,
--
Junrui Luo <moonafterrain@outlook.com>
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] misc: ibmvmc: fix buffer overflow in ibmvmc_recv_msg()
2025-12-18 14:43 [PATCH] misc: ibmvmc: fix buffer overflow in ibmvmc_recv_msg() Junrui Luo
@ 2025-12-18 14:57 ` Greg Kroah-Hartman
0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2025-12-18 14:57 UTC (permalink / raw)
To: Junrui Luo
Cc: Brad Warrum, Ritu Agarwal, Arnd Bergmann, Adam Reznechek,
Steven Royer, Bryant G. Ly, Randy Dunlap, linux-kernel,
Yuhao Jiang
On Thu, Dec 18, 2025 at 10:43:11PM +0800, Junrui Luo wrote:
> The ibmvmc_recv_msg() function receives a msg_len value from the
> hypervisor and uses it directly in h_copy_rdma() without validating.
> This can result a buffer overflow.
>
> Add a check to ensure msg_len does not exceed buffer->size before
> calling h_copy_rdma().
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
> Fixes: 0eca353e7ae7 ("misc: IBM Virtual Management Channel Driver (VMC)")
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
> drivers/misc/ibmvmc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/misc/ibmvmc.c b/drivers/misc/ibmvmc.c
> index e5f935b5249d..e583a73a3592 100644
> --- a/drivers/misc/ibmvmc.c
> +++ b/drivers/misc/ibmvmc.c
> @@ -1654,6 +1654,12 @@ static int ibmvmc_recv_msg(struct crq_server_adapter *adapter,
> }
>
> /* RDMA the data into the partition. */
> + if (msg_len > buffer->size) {
> + dev_err(adapter->dev, "Recv_msg: msg_len 0x%x exceeds buffer size 0x%x\n",
> + (unsigned int)msg_len, (unsigned int)buffer->size);
Don't allow broken hardware to spam the kernel log. Make this a
debugging message instead.
And place the check above the comment?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-12-18 14:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-18 14:43 [PATCH] misc: ibmvmc: fix buffer overflow in ibmvmc_recv_msg() Junrui Luo
2025-12-18 14:57 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox