From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5F4B397B08 for ; Tue, 12 May 2026 13:07:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591252; cv=none; b=F+f6ynL01zbmfNpJxzzSxtrIq0Q9HXCtxYyJFSqN981slXCL6aHJPtQe2FnRqRAWbiG6M5vNK2gcacd2tC2y6+EnUSGek7qEQp26vK59PWBMFX7I+WGY8q16zYsm1kPGLjPDh/ZiGWMJqSpu7S/P4dud+cFDHg6XnJhxo+tFH1w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591252; c=relaxed/simple; bh=POp2n1MrrBwf4XyFtHBqsdLJqGpnHG4C59dkVpAvLgo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sn1iwmwJlGfY8B1tp1kcXoC8dIRLm5EVWmqY2SVFEn1qXzmIddy2toZgVPkj2xHjyaFmalDkCehpGJ9Ff/O5JwGxxVruw/Mj1vqoS4nWHRKLOUq6YXvfSDR3rtbJSvO1AoBSGpRfvI7mELhkgI5ZhshzDRv7cgSzj3YxJWdunuA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=S7DidAs3; arc=none smtp.client-ip=209.85.128.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="S7DidAs3" Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-7c0dea734bcso29997437b3.2 for ; Tue, 12 May 2026 06:07:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778591250; x=1779196050; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iOG4qriMr29psJVDOI0klbLQYjbJN0xxiaQ5zdjbGPA=; b=S7DidAs3BIgOX7gYt7VHXkXH0BpJgSe8o00099C9kmDy5JGw5wtsDsnwThv+wU83Yw D+rJEWFlu1c5YslnT5sqSOORwJbkri74NCgnkfruHJVsN5oIVP+upmqyRNrRBwGrNBHk UjEhB+wMlzFbh5K6ndQUXk53loRADL5COzz4gUeh8TXi6iz/OyjdDT/B/5pFn+9SoCpy CMffMJ/Rv5wbARqtowGpqf1rkE0KFV2A9SaQm/fGE9gaitSavVXaYtAk060wJneFNZuC Eo3XTKPQPDrYz90m+f68dHauihpEVE44d1yzWVRRi4jhIQZe7c28RCOSRNavSVpLym7o Kcfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778591250; x=1779196050; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iOG4qriMr29psJVDOI0klbLQYjbJN0xxiaQ5zdjbGPA=; b=OkfDGVP9CpHE0Oq0zg1JBuVgjsp0MRJlkbTWEAXtXOO9j77HjQGhC+Ocm4xaBJAUYR ZSFqgiTwjXD1qoteyhuX2H2r0qxFaEBwYIb09IiowdScRsEK0PSKN4sKbZCTejbB6omq zmKALwjag8FWVpemvDv+7VOMFbtovaTmQy0LqYTA8Dv7UxZ8BIuxqBOtzoMQyzb7zSlZ NoZvUBZ3TroAjDq5cgnr3d/CrdINjF4f4rm8RTFk7XqqRFQafi0gWKZpYY9Ogue30nP6 wJLFTmeqF88WzWp5xTyLdCJdJhiqHs/6Jq/VdmUva5GarZZAMUC2ZB9iAPADJwNR+8HA Voog== X-Forwarded-Encrypted: i=1; AFNElJ/pfQvwJAFtIY3jqp6CXRNEPpajFiXH8hiBcUKzAr+TnMydPnefA9hP8z7MNFr2KUJ38B6hEKjG/2a8y/E=@vger.kernel.org X-Gm-Message-State: AOJu0YzEbPj9QOoLREopJiMPCs1lzQFdssPdMhe7rp08QwhXkk+moCM/ Y1xap2LJUPBkngCYuGVpufcIChrEvMVAkXyH+10es9kUfUmQ3XNqY3NH X-Gm-Gg: Acq92OGlGQdmllZ4rRJdTC6Vb5hO+/xOTNn5Motj5OEvbeKdKEDaafil6uUImqe2oWz vv3mPDCq93XcVr1CgIoS8vfHuC25y/Dj70UYSTDTi4S30FbSqZPK4zdkggccV5jxQOJvQBauBO0 yspm1s3eTvTDtbTbBLy8pnhd82+39iZGQPiJ8SsAs4uUFxT7k4uLunlXWe5HctpmalZjombGDfJ qtt6cfVHWM67IMIN+Fsdrz0Cz0Ce2B9yWZgUG0L8HRs9j1VmRXS/+jGG4fAIJAHR0hdQwYitMuP S5M+jQlDBYo+C5sEJkPevWagGHt6q7Rwr4igLAfCwFMzmHrRp6VqeJnkv2fHB25OFGpKkx5uf8T PtFEHNiNz7B+G4zIry/S4Ll/XTZJuuFZsI+zZ1WsgIqwf+YC0m6Lst05NGWd0p+gUALOPR5aqP3 LES1H0IzTGJIjb8jnbmgU416yXZ1dAJg6G0tjKvTM22TqFl9KPsxoYpQlN X-Received: by 2002:a05:690c:22c6:b0:7c0:82ec:fe75 with SMTP id 00721157ae682-7c10255d217mr127949657b3.10.1778591249713; Tue, 12 May 2026 06:07:29 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd6686ead7sm167459037b3.39.2026.05.12.06.07.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:07:29 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v6 1/3] fpga: dfl: add bounds check in dfh_get_param_size() Date: Tue, 12 May 2026 07:07:08 -0600 Message-ID: <20260512130710.933089-2-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512130710.933089-1-sebasjosue84@gmail.com> References: <20260512130710.933089-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit dfh_get_param_size() can return a parameter size larger than the feature region because the loop bounds check is evaluated before incrementing size. If the EOP (End of Parameters) bit is set in the same iteration, the inflated size is returned without re-validation against max. This can cause create_feature_instance() to call memcpy_fromio() with a size exceeding the ioremap'd region when a malicious FPGA device provides crafted DFHv1 parameter headers. Add a bounds check after the size increment to ensure the accumulated size never exceeds the feature boundary. Fixes: a80a4b2b2e4f ("fpga: dfl: add support for DFHv1") Signed-off-by: Sebastian Alba Vives --- Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Add blank line after the new bounds check. Suggested by Xu Yilun. Changes in v2: - Use (size > max) instead of (size + DFHv1_PARAM_HDR > max). Suggested by Xu Yilun. --- drivers/fpga/dfl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c index 4087a36a0..4c63c7c85 100644 --- a/drivers/fpga/dfl.c +++ b/drivers/fpga/dfl.c @@ -1132,6 +1132,8 @@ static int dfh_get_param_size(void __iomem *dfh_base, resource_size_t max) return -EINVAL; size += next * sizeof(u64); + if (size > max) + return -EINVAL; if (FIELD_GET(DFHv1_PARAM_HDR_NEXT_EOP, v)) return size; -- 2.43.0