lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260116081723.1603603-5-duziming2@huawei.com>
Date: Fri, 16 Jan 2026 16:17:21 +0800
From: Ziming Du <duziming2@...wei.com>
To: <bhelgaas@...gle.com>, <alex@...zbot.org>, <chrisw@...hat.com>,
	<jbarnes@...tuousgeek.org>
CC: <linux-pci@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<liuyongqiang13@...wei.com>
Subject: [PATCH v4 4/4] PCI: Prevent overflow in proc_bus_pci_read()

proc_bus_pci_read() assigns *ppos directly to an unsigned integer variable.
For large offsets, this implicit conversion may truncate the value and
cause reads from an incorrect position.

proc_bus_pci_write() explicitly validates *ppos and rejects values larger
than INT_MAX, while proc_bus_pci_read() currently accepts them. This
difference in position handling is unjustified.

Fix this by validating *ppos in proc_bus_pci_read() and rejecting offsets
larger than INT_MAX before the assignment, matching proc_bus_pci_write().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ziming Du <duziming2@...wei.com>
Suggested-by: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
---
 drivers/pci/proc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 2d51b26edbe74..f4ef7629dc78b 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -29,9 +29,12 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
 				 size_t nbytes, loff_t *ppos)
 {
 	struct pci_dev *dev = pde_data(file_inode(file));
-	unsigned int pos = *ppos;
+	int pos;
 	unsigned int cnt, size;
 
+	if (*ppos > INT_MAX)
+		return -EINVAL;
+	pos = *ppos;
 	/*
 	 * Normal users can read only the standardized portion of the
 	 * configuration space as several chips lock up when trying to read
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ