[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEuvNs2b-_Q=dazKjhUwJoZ5XUpjRsf-FrCOTR_j24T+EG-f=g@mail.gmail.com>
Date: Tue, 7 Oct 2025 15:58:13 +0400
From: Murad Sadigov <sdgvmrd@...il.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: [PATCH] staging: axis-fifo: fix integer overflow in write()
Fix integer overflow in axis_fifo_write() that allows local users
to bypass buffer validation, potentially causing hardware FIFO
buffer overflow and system denial of service.
The axis_fifo_write() function converts user-controlled size_t 'len'
(64-bit) to unsigned int 'words_to_write' (32-bit) without overflow
checking at line 322:
words_to_write = len / sizeof(u32);
On 64-bit systems, when len equals 0x400000000 (16 GiB):
- Division: 0x400000000 / 4 = 0x100000000 (requires 33 bits)
- Truncation: Result stored in 32-bit variable = 0 (overflow)
- Validation bypass: if (0 > fifo_depth) evaluates to false
- Impact: Hardware FIFO overflow, system crash
This allows unprivileged local users with access to /dev/axis_fifo*
to trigger denial of service.
The fix adds overflow check before type conversion to ensure len
does not exceed the maximum safe value (UINT_MAX * sizeof(u32)).
Affected systems include embedded devices using Xilinx FPGA with
AXI-Stream FIFO IP cores.
Signed-off-by: Murad Sadigov <sdgvmrd@...il.com>
---
drivers/staging/axis-fifo/axis-fifo.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/staging/axis-fifo/axis-fifo.c
b/drivers/staging/axis-fifo/axis-fifo.c
index 1234567890ab..abcdef123456 100644
--- a/drivers/staging/axis-fifo/axis-fifo.c
+++ b/drivers/staging/axis-fifo/axis-fifo.c
@@ -319,6 +319,13 @@ static ssize_t axis_fifo_write(struct file *f,
const char __user *buf,
return -EINVAL;
}
+ /* Prevent integer overflow in words calculation */
+ if (len > (size_t)UINT_MAX * sizeof(u32)) {
+ dev_err(fifo->dt_device,
+ "write length %zu exceeds maximum %zu bytes\n",
+ len, (size_t)UINT_MAX * sizeof(u32));
+ return -EINVAL;
+ }
+
words_to_write = len / sizeof(u32);
if (!words_to_write) {
--
2.34.1
Powered by blists - more mailing lists