lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20250804082523.419159-1-xiehongyu1@kylinos.cn>
Date: Mon,  4 Aug 2025 16:25:23 +0800
From: xiehongyu1@...inos.cn
To: yilun.xu@...el.com
Cc: trix@...hat.com,
	linux-kernel@...r.kernel.org,
	linux-fpga@...r.kernel.org,
	mdf@...nel.org,
	Hongyu Xie <xiehongyu1@...inos.cn>
Subject: [PATCH v1] fpga: afu: fix potential intege overflow

From: Hongyu Xie <xiehongyu1@...inos.cn>

Overflow Scenarios:
1, region->offset + region->size Overflow:
  When region->offset is close to U64_MAX and region->size is
sufficiently large, the addition result may wrap around to a
very small value (e.g., 0 or near 0).
  In this case, even if the target range [offset, offset+size)
falls within the region, the condition region->offset +
region->size >= offset + size will fail due to the wrapped
value being small. This causes the function to erroneously
return -EINVAL.

2, offset + size Overflow:
  When offset is close to U64_MAX and size is large, offset +
size wraps around to a small value.

  Here, region->offset + region->size (which would be a large
value if not overflowing) might incorrectly satisfy
region->offset + region->size >= offset + size due to the
wrapped small value. This leads to a false match, even though
the actual range [offset, offset+size) spans the wrap-around
boundary and does not belong to this region.

So fix these two scenarios.

Signed-off-by: Hongyu Xie <xiehongyu1@...inos.cn>
---
 drivers/fpga/dfl-afu-region.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/fpga/dfl-afu-region.c b/drivers/fpga/dfl-afu-region.c
index b11a5b21e666..449c2ae809bd 100644
--- a/drivers/fpga/dfl-afu-region.c
+++ b/drivers/fpga/dfl-afu-region.c
@@ -157,7 +157,8 @@ int afu_mmio_region_get_by_offset(struct dfl_feature_dev_data *fdata,
 	afu = dfl_fpga_fdata_get_private(fdata);
 	for_each_region(region, afu)
 		if (region->offset <= offset &&
-		    region->offset + region->size >= offset + size) {
+		    region->size >= size &&
+		    (offset - region->offset) <= (region->size - size)) {
 			*pregion = *region;
 			goto exit;
 		}
-- 
2.25.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ