From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xie Yongji <xieyongji@bytedance.com>,
Jason Wang <jasowang@redhat.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
Sasha Levin <sashal@kernel.org>,
virtualization@lists.linux-foundation.org
Subject: [PATCH AUTOSEL 5.4 27/28] virtio_console: Assure used length from device is limited
Date: Sat, 10 Jul 2021 19:51:06 -0400 [thread overview]
Message-ID: <20210710235107.3221840-27-sashal@kernel.org> (raw)
In-Reply-To: <20210710235107.3221840-1-sashal@kernel.org>
From: Xie Yongji <xieyongji@bytedance.com>
[ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ]
The buf->len might come from an untrusted device. This
ensures the value would not exceed the size of the buffer
to avoid data corruption or loss.
Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20210525125622.1203-1-xieyongji@bytedance.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/virtio_console.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 5eabbf73fdef..b453029487a1 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -475,7 +475,7 @@ static struct port_buffer *get_inbuf(struct port *port)
buf = virtqueue_get_buf(port->in_vq, &len);
if (buf) {
- buf->len = len;
+ buf->len = min_t(size_t, len, buf->size);
buf->offset = 0;
port->stats.bytes_received += len;
}
@@ -1714,7 +1714,7 @@ static void control_work_handler(struct work_struct *work)
while ((buf = virtqueue_get_buf(vq, &len))) {
spin_unlock(&portdev->c_ivq_lock);
- buf->len = len;
+ buf->len = min_t(size_t, len, buf->size);
buf->offset = 0;
handle_control_message(vq->vdev, portdev, buf);
--
2.30.2
next prev parent reply other threads:[~2021-07-10 23:53 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-10 23:50 [PATCH AUTOSEL 5.4 01/28] power: supply: sc27xx: Add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 02/28] power: supply: sc2731_charger: " Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 03/28] pwm: spear: Don't modify HW state in .remove callback Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 04/28] power: supply: ab8500: Avoid NULL pointers Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 05/28] power: supply: max17042: Do not enforce (incorrect) interrupt trigger type Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 06/28] power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 07/28] ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 08/28] PCI/P2PDMA: Avoid pci_get_slot(), which may sleep Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 09/28] watchdog: Fix possible use-after-free in wdt_startup() Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 10/28] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 11/28] watchdog: Fix possible use-after-free by calling del_timer_sync() Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 12/28] watchdog: imx_sc_wdt: fix pretimeout Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 13/28] watchdog: iTCO_wdt: Account for rebooting on second timeout Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 14/28] x86/fpu: Return proper error codes from user access functions Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 15/28] PCI: tegra: Add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 16/28] orangefs: fix orangefs df output Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 17/28] ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 18/28] NFS: nfs_find_open_context() may only select open files Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 19/28] power: supply: charger-manager: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-10 23:50 ` [PATCH AUTOSEL 5.4 20/28] power: supply: ab8500: " Sasha Levin
2021-07-10 23:51 ` [PATCH AUTOSEL 5.4 21/28] pwm: img: Fix PM reference leak in img_pwm_enable() Sasha Levin
2021-07-10 23:51 ` [PATCH AUTOSEL 5.4 22/28] pwm: tegra: Don't modify HW state in .remove callback Sasha Levin
2021-07-10 23:51 ` [PATCH AUTOSEL 5.4 23/28] ACPI: AMBA: Fix resource name in /proc/iomem Sasha Levin
2021-07-10 23:51 ` [PATCH AUTOSEL 5.4 24/28] ACPI: video: Add quirk for the Dell Vostro 3350 Sasha Levin
2021-07-10 23:51 ` [PATCH AUTOSEL 5.4 25/28] virtio-blk: Fix memory leak among suspend/resume procedure Sasha Levin
2021-07-10 23:51 ` [PATCH AUTOSEL 5.4 26/28] virtio_net: Fix error handling in virtnet_restore() Sasha Levin
2021-07-10 23:51 ` Sasha Levin [this message]
2021-07-10 23:51 ` [PATCH AUTOSEL 5.4 28/28] virtio: fix up virtio_disable_cb Sasha Levin
2021-07-11 4:24 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210710235107.3221840-27-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jasowang@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
--cc=virtualization@lists.linux-foundation.org \
--cc=xieyongji@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox