[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221128174120.1442235-18-sashal@kernel.org>
Date: Mon, 28 Nov 2022 12:41:18 -0500
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Cc: Dominique Martinet <asmadeus@...ewreck.org>,
Stefano Stabellini <sstabellini@...nel.org>,
Christian Schoenebeck <linux_oss@...debyte.com>,
Sasha Levin <sashal@...nel.org>, ericvh@...il.com,
lucho@...kov.net, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com,
v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org
Subject: [PATCH AUTOSEL 5.10 18/19] 9p/xen: check logical size for buffer size
From: Dominique Martinet <asmadeus@...ewreck.org>
[ Upstream commit 391c18cf776eb4569ecda1f7794f360fe0a45a26 ]
trans_xen did not check the data fits into the buffer before copying
from the xen ring, but we probably should.
Add a check that just skips the request and return an error to
userspace if it did not fit
Tested-by: Stefano Stabellini <sstabellini@...nel.org>
Reviewed-by: Christian Schoenebeck <linux_oss@...debyte.com>
Link: https://lkml.kernel.org/r/20221118135542.63400-1-asmadeus@codewreck.org
Signed-off-by: Dominique Martinet <asmadeus@...ewreck.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
net/9p/trans_xen.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 432ac5a16f2e..6c8a33f98f09 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -231,6 +231,14 @@ static void p9_xen_response(struct work_struct *work)
continue;
}
+ if (h.size > req->rc.capacity) {
+ dev_warn(&priv->dev->dev,
+ "requested packet size too big: %d for tag %d with capacity %zd\n",
+ h.size, h.tag, req->rc.capacity);
+ req->status = REQ_STATUS_ERROR;
+ goto recv_error;
+ }
+
memcpy(&req->rc, &h, sizeof(h));
req->rc.offset = 0;
@@ -240,6 +248,7 @@ static void p9_xen_response(struct work_struct *work)
masked_prod, &masked_cons,
XEN_9PFS_RING_SIZE(ring));
+recv_error:
virt_mb();
cons += h.size;
ring->intf->in_cons = cons;
--
2.35.1
Powered by blists - more mailing lists