lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <MEYPR01MB7886EBCF9C20CD275A572F65AFA8A@MEYPR01MB7886.ausprd01.prod.outlook.com>
Date: Thu, 18 Dec 2025 22:43:11 +0800
From: Junrui Luo <moonafterrain@...look.com>
To: Brad Warrum <bwarrum@...ux.ibm.com>, 
 Ritu Agarwal <rituagar@...ux.ibm.com>, Arnd Bergmann <arnd@...db.de>, 
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
 Adam Reznechek <adreznec@...ux.vnet.ibm.com>, 
 Steven Royer <seroyer@...ux.vnet.ibm.com>, 
 "Bryant G. Ly" <bryantly@...ux.vnet.ibm.com>, 
 Randy Dunlap <rdunlap@...radead.org>
Cc: linux-kernel@...r.kernel.org, Yuhao Jiang <danisjiang@...il.com>, 
 Junrui Luo <moonafterrain@...look.com>
Subject: [PATCH] misc: ibmvmc: fix buffer overflow in ibmvmc_recv_msg()

The ibmvmc_recv_msg() function receives a msg_len value from the
hypervisor and uses it directly in h_copy_rdma() without validating.
This can result a buffer overflow.

Add a check to ensure msg_len does not exceed buffer->size before
calling h_copy_rdma().

Reported-by: Yuhao Jiang <danisjiang@...il.com>
Reported-by: Junrui Luo <moonafterrain@...look.com>
Fixes: 0eca353e7ae7 ("misc: IBM Virtual Management Channel Driver (VMC)")
Signed-off-by: Junrui Luo <moonafterrain@...look.com>
---
 drivers/misc/ibmvmc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/misc/ibmvmc.c b/drivers/misc/ibmvmc.c
index e5f935b5249d..e583a73a3592 100644
--- a/drivers/misc/ibmvmc.c
+++ b/drivers/misc/ibmvmc.c
@@ -1654,6 +1654,12 @@ static int ibmvmc_recv_msg(struct crq_server_adapter *adapter,
 	}
 
 	/* RDMA the data into the partition. */
+	if (msg_len > buffer->size) {
+		dev_err(adapter->dev, "Recv_msg: msg_len 0x%x exceeds buffer size 0x%x\n",
+			(unsigned int)msg_len, (unsigned int)buffer->size);
+		spin_unlock_irqrestore(&hmc->lock, flags);
+		return -EINVAL;
+	}
 	rc = h_copy_rdma(msg_len,
 			 adapter->riobn,
 			 buffer->dma_addr_remote,

---
base-commit: ea1013c1539270e372fc99854bc6e4d94eaeff66
change-id: 20251218-fixes-1fa33e72a87f

Best regards,
-- 
Junrui Luo <moonafterrain@...look.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ