From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E9D03CEB9A for ; Mon, 4 May 2026 12:13:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777896820; cv=none; b=jwQdlH4s7qA3Iy2Ml2QuhziOvgEOUFCZfPfrCiS3eGdfDuXLccJPtHcHahx3AtQexI5gNffgal40NSA5N7944bHpljVCwMbugqmw+BqtnhK3LI8/B1GvkeCNsD5PzDW0qIeQ4Cx607CQfXCZLRvU48+jAf33xI3Mh2e8ldgOjbA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777896820; c=relaxed/simple; bh=eoFqV0cUKljCUasyMEcO8e3E2F1rKIvseDS8v5lylIg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=H+7qIwTIirwxiln0j99a2yAh7b+YbPuEwL8Z9tq0gNajYg2VsNhw8bFcyhObHqcA/ofYBxBp5yk4Zi1H01GeS7LkjRYG8OBRM1shGDPgJh3YdldlYKy+qV5F8Q/YdlFamUMHpC3Bnx9z9aJshRhiZcSY4L6mu7j9UinIFre2wP8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=rFpyr0os; arc=none smtp.client-ip=209.85.128.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="rFpyr0os" Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-79495b1aaa7so41639767b3.1 for ; Mon, 04 May 2026 05:13:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777896818; x=1778501618; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=L/UJ2uvEr/DOGlLSCCMJfX3fenw9+ggqj8yJwATSV2Q=; b=rFpyr0osEA4XkXyFliRSz4mjI0NJiR6LMgbAs4GFvIesofPHtEVOK6obhjy/D1TVjw ep42/fYSGKT/ls06siKHNFx+5EHF94SO8gCNtgJSz/+MOb4wZd0J6dMMK3E4cNgL6DeM 4wYtebWFAKk7BcbSLCD6+ebfIsWm+vyRe8wZQdHdNWVnmLyTI1Gej76q6RW5c++nVLEM plo2xMXS8ZQ01fpj0ihCRNXzplcTwgIs0HgeR7Q/8BxfC7qUrdG4Xaj5rxFxROhl3vlL /BxlMqIhjl7IyvMLP1oPRAQsf86xuR4Eantgnu3Oeo1OcjbPmP6gPoL0zoClFspqjIda 8VgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777896818; x=1778501618; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=L/UJ2uvEr/DOGlLSCCMJfX3fenw9+ggqj8yJwATSV2Q=; b=hWryYukJcxAtA3VWvI+7e24oOWLknu/yWDDPE4OmaATk24CLoao4T4c6khvu3UuzY4 0A0ywBNh5X2EN561wNHQlZRCMCX6Iv2yYe+HYTJ8/ydaJXr+kEYpGDIrZanoKmmOKAgn YI23Q24yp+2phrKV7HhrvrCj0xLL84LkiHbjR0Nt7yz0LqRwaafhmYGx5jx/Rx1Dte8Y CPR5RwWi9W3tNrED2hp2HTbGqokGKyo3y0P/pJ01wtOxSHINKTps08L89EKoorprAj8v k0n6x2DrsWhB6N0I9T+YBQ/MiPrJezINk45m/eUthGiIoRAULcC+1g/74/yFGuepkVzH 4mZg== X-Forwarded-Encrypted: i=1; AFNElJ93oSejuzBJ4KOtw4k5PgOCVYXHFflpZSUxZCk4ATf/lRqa7kITlUTu2+T1VC8yoUaqK8aQJDOUXNfAIHk=@vger.kernel.org X-Gm-Message-State: AOJu0YylNbJhnB+Bwr3Z96RO/WIXctuteH3IxbnPq5yar279VU/F8+Lc Xt/OEeZWdw/4YOozHHxxRl4KARBgHOd+gXLO/4/iXNyjo2Fqlk1E3kK1 X-Gm-Gg: AeBDieuDk5DYhB37K/myRiFvbAOtrEdfNY5mQwn3uecpGw45yYbgz4W5eXpCbaQ48SC v0yqe074DitE73tAA8IjRPseQHd8qb2jM4okWrqGhzbn6PFinqdLLkYSy+0snY/GF/r4aoLmTXa tycUTlbEeJ70pb2BsZWN7rZZmdwCySzu7RSMoFEmPnoD0s0yazMK9r2ZTUr0w35vql3skT8CNTc CRh/hDrnGCjCK8dYi8V6vvUIW3ne4Rip9eQlajeTHjNPsG2dQ7M6OwzbgfMCCyDg4vElAzikpg4 7rmfRHKxgVZamq3WPpL/Di/pjfFMoQTdK+h+0Nmg2wBDK7Ho7YMa4Azx1FqN9ZsBAi4c3lWQL9E SaRi/mguWAfmH6bKcOqeZiI16C/B0k2uNVwJokrXTBzlixAexiH4YJJOWLWc9M79SLqFDmJTfjC ejabOU0zvN1xbOAIr/7acVtfP/y3U/BvXj7OxvRH9VwZErOctz/Ordk+E4IYlIwhs40Q== X-Received: by 2002:a05:690c:a00c:b0:7ba:ef98:9720 with SMTP id 00721157ae682-7bd76f80e2amr80290547b3.4.1777896818053; Mon, 04 May 2026 05:13:38 -0700 (PDT) Received: from ubuntu-linux-2404.ts.net ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd665464ccsm48417937b3.11.2026.05.04.05.13.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 05:13:37 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v5 1/3] fpga: dfl: add bounds check in dfh_get_param_size() Date: Mon, 4 May 2026 06:13:30 -0600 Message-ID: <20260504121332.1053563-1-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit dfh_get_param_size() can return a parameter size larger than the feature region because the loop bounds check is evaluated before incrementing size. If the EOP (End of Parameters) bit is set in the same iteration, the inflated size is returned without re-validation against max. This can cause create_feature_instance() to call memcpy_fromio() with a size exceeding the ioremap'd region when a malicious FPGA device provides crafted DFHv1 parameter headers. Add a bounds check after the size increment to ensure the accumulated size never exceeds the feature boundary. Fixes: a80a4b2b2e4f ("fpga: dfl: add support for DFHv1") Signed-off-by: Sebastian Alba Vives --- Changes in v5: - Add blank line after the new bounds check. Suggested by Xu Yilun. Changes in v4: - Resubmit as full series per maintainer request. Changes in v2: - Use (size > max) instead of (size + DFHv1_PARAM_HDR > max). Suggested by Xu Yilun. --- drivers/fpga/dfl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c index 81d7a68..4c63c7c 100644 --- a/drivers/fpga/dfl.c +++ b/drivers/fpga/dfl.c @@ -1134,6 +1134,7 @@ static int dfh_get_param_size(void __iomem *dfh_base, resource_size_t max) size += next * sizeof(u64); if (size > max) return -EINVAL; + if (FIELD_GET(DFHv1_PARAM_HDR_NEXT_EOP, v)) return size; } -- 2.43.0