releases/5.15.11/vduse-fix-memory-corruption-in-vduse_dev_ioctl.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From ff9f9c6e74848170fcb45c8403c80d661484c8c9 Mon Sep 17 00:00:00 2001
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Wed, 8 Dec 2021 13:33:07 +0300
 Subject: vduse: fix memory corruption in vduse_dev_ioctl()

 From: Dan Carpenter <dan.carpenter@oracle.com>

 commit ff9f9c6e74848170fcb45c8403c80d661484c8c9 upstream.

 The "config.offset" comes from the user.  There needs to a check to
 prevent it being out of bounds.  The "config.offset" and
 "dev->config_size" variables are both type u32.  So if the offset if
 out of bounds then the "dev->config_size - config.offset" subtraction
 results in a very high u32 value.  The out of bounds offset can result
 in memory corruption.

 Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Link: https://lore.kernel.org/r/20211208103307.GA3778@kili
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 Cc: stable@vger.kernel.org
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/vdpa/vdpa_user/vduse_dev.c |    3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

 --- a/drivers/vdpa/vdpa_user/vduse_dev.c
 +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
 @@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file
  			break;

  		ret = -EINVAL;
 -		if (config.length == 0 ||
 +		if (config.offset > dev->config_size ||
 +		    config.length == 0 ||
  		    config.length > dev->config_size - config.offset)
  			break;
	From ff9f9c6e74848170fcb45c8403c80d661484c8c9 Mon Sep 17 00:00:00 2001
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Wed, 8 Dec 2021 13:33:07 +0300
	Subject: vduse: fix memory corruption in vduse_dev_ioctl()

	From: Dan Carpenter <dan.carpenter@oracle.com>

	commit ff9f9c6e74848170fcb45c8403c80d661484c8c9 upstream.

	The "config.offset" comes from the user. There needs to a check to
	prevent it being out of bounds. The "config.offset" and
	"dev->config_size" variables are both type u32. So if the offset if
	out of bounds then the "dev->config_size - config.offset" subtraction
	results in a very high u32 value. The out of bounds offset can result
	in memory corruption.

	Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Link: https://lore.kernel.org/r/20211208103307.GA3778@kili
	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
	Cc: stable@vger.kernel.org
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/vdpa/vdpa_user/vduse_dev.c \| 3 ++-
	1 file changed, 2 insertions(+), 1 deletion(-)

	--- a/drivers/vdpa/vdpa_user/vduse_dev.c
	+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
	@@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file
	break;

	ret = -EINVAL;
	- if (config.length == 0 \|\|
	+ if (config.offset > dev->config_size \|\|
	+ config.length == 0 \|\|
	config.length > dev->config_size - config.offset)
	break;