From nobody Fri Jun 12 21:38:07 2026 Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5F4B397B08 for ; Tue, 12 May 2026 13:07:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591252; cv=none; b=F+f6ynL01zbmfNpJxzzSxtrIq0Q9HXCtxYyJFSqN981slXCL6aHJPtQe2FnRqRAWbiG6M5vNK2gcacd2tC2y6+EnUSGek7qEQp26vK59PWBMFX7I+WGY8q16zYsm1kPGLjPDh/ZiGWMJqSpu7S/P4dud+cFDHg6XnJhxo+tFH1w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591252; c=relaxed/simple; bh=POp2n1MrrBwf4XyFtHBqsdLJqGpnHG4C59dkVpAvLgo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sn1iwmwJlGfY8B1tp1kcXoC8dIRLm5EVWmqY2SVFEn1qXzmIddy2toZgVPkj2xHjyaFmalDkCehpGJ9Ff/O5JwGxxVruw/Mj1vqoS4nWHRKLOUq6YXvfSDR3rtbJSvO1AoBSGpRfvI7mELhkgI5ZhshzDRv7cgSzj3YxJWdunuA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=S7DidAs3; arc=none smtp.client-ip=209.85.128.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="S7DidAs3" Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-7c0dea734bcso29997437b3.2 for ; Tue, 12 May 2026 06:07:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778591250; x=1779196050; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iOG4qriMr29psJVDOI0klbLQYjbJN0xxiaQ5zdjbGPA=; b=S7DidAs3BIgOX7gYt7VHXkXH0BpJgSe8o00099C9kmDy5JGw5wtsDsnwThv+wU83Yw D+rJEWFlu1c5YslnT5sqSOORwJbkri74NCgnkfruHJVsN5oIVP+upmqyRNrRBwGrNBHk UjEhB+wMlzFbh5K6ndQUXk53loRADL5COzz4gUeh8TXi6iz/OyjdDT/B/5pFn+9SoCpy CMffMJ/Rv5wbARqtowGpqf1rkE0KFV2A9SaQm/fGE9gaitSavVXaYtAk060wJneFNZuC Eo3XTKPQPDrYz90m+f68dHauihpEVE44d1yzWVRRi4jhIQZe7c28RCOSRNavSVpLym7o Kcfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778591250; x=1779196050; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iOG4qriMr29psJVDOI0klbLQYjbJN0xxiaQ5zdjbGPA=; b=OkfDGVP9CpHE0Oq0zg1JBuVgjsp0MRJlkbTWEAXtXOO9j77HjQGhC+Ocm4xaBJAUYR ZSFqgiTwjXD1qoteyhuX2H2r0qxFaEBwYIb09IiowdScRsEK0PSKN4sKbZCTejbB6omq zmKALwjag8FWVpemvDv+7VOMFbtovaTmQy0LqYTA8Dv7UxZ8BIuxqBOtzoMQyzb7zSlZ NoZvUBZ3TroAjDq5cgnr3d/CrdINjF4f4rm8RTFk7XqqRFQafi0gWKZpYY9Ogue30nP6 wJLFTmeqF88WzWp5xTyLdCJdJhiqHs/6Jq/VdmUva5GarZZAMUC2ZB9iAPADJwNR+8HA Voog== X-Forwarded-Encrypted: i=1; AFNElJ/pfQvwJAFtIY3jqp6CXRNEPpajFiXH8hiBcUKzAr+TnMydPnefA9hP8z7MNFr2KUJ38B6hEKjG/2a8y/E=@vger.kernel.org X-Gm-Message-State: AOJu0YzEbPj9QOoLREopJiMPCs1lzQFdssPdMhe7rp08QwhXkk+moCM/ Y1xap2LJUPBkngCYuGVpufcIChrEvMVAkXyH+10es9kUfUmQ3XNqY3NH X-Gm-Gg: Acq92OGlGQdmllZ4rRJdTC6Vb5hO+/xOTNn5Motj5OEvbeKdKEDaafil6uUImqe2oWz vv3mPDCq93XcVr1CgIoS8vfHuC25y/Dj70UYSTDTi4S30FbSqZPK4zdkggccV5jxQOJvQBauBO0 yspm1s3eTvTDtbTbBLy8pnhd82+39iZGQPiJ8SsAs4uUFxT7k4uLunlXWe5HctpmalZjombGDfJ qtt6cfVHWM67IMIN+Fsdrz0Cz0Ce2B9yWZgUG0L8HRs9j1VmRXS/+jGG4fAIJAHR0hdQwYitMuP S5M+jQlDBYo+C5sEJkPevWagGHt6q7Rwr4igLAfCwFMzmHrRp6VqeJnkv2fHB25OFGpKkx5uf8T PtFEHNiNz7B+G4zIry/S4Ll/XTZJuuFZsI+zZ1WsgIqwf+YC0m6Lst05NGWd0p+gUALOPR5aqP3 LES1H0IzTGJIjb8jnbmgU416yXZ1dAJg6G0tjKvTM22TqFl9KPsxoYpQlN X-Received: by 2002:a05:690c:22c6:b0:7c0:82ec:fe75 with SMTP id 00721157ae682-7c10255d217mr127949657b3.10.1778591249713; Tue, 12 May 2026 06:07:29 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd6686ead7sm167459037b3.39.2026.05.12.06.07.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:07:29 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v6 1/3] fpga: dfl: add bounds check in dfh_get_param_size() Date: Tue, 12 May 2026 07:07:08 -0600 Message-ID: <20260512130710.933089-2-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512130710.933089-1-sebasjosue84@gmail.com> References: <20260512130710.933089-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dfh_get_param_size() can return a parameter size larger than the feature region because the loop bounds check is evaluated before incrementing size. If the EOP (End of Parameters) bit is set in the same iteration, the inflated size is returned without re-validation against max. This can cause create_feature_instance() to call memcpy_fromio() with a size exceeding the ioremap'd region when a malicious FPGA device provides crafted DFHv1 parameter headers. Add a bounds check after the size increment to ensure the accumulated size never exceeds the feature boundary. Fixes: a80a4b2b2e4f ("fpga: dfl: add support for DFHv1") Signed-off-by: Sebastian Alba Vives --- Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Add blank line after the new bounds check. Suggested by Xu Yilun. Changes in v2: - Use (size > max) instead of (size + DFHv1_PARAM_HDR > max). Suggested by Xu Yilun. --- drivers/fpga/dfl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c index 4087a36a0..4c63c7c85 100644 --- a/drivers/fpga/dfl.c +++ b/drivers/fpga/dfl.c @@ -1132,6 +1132,8 @@ static int dfh_get_param_size(void __iomem *dfh_base,= resource_size_t max) return -EINVAL; =20 size +=3D next * sizeof(u64); + if (size > max) + return -EINVAL; =20 if (FIELD_GET(DFHv1_PARAM_HDR_NEXT_EOP, v)) return size; --=20 2.43.0 From nobody Fri Jun 12 21:38:07 2026 Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com [209.85.128.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B03393C1F48 for ; Tue, 12 May 2026 13:07:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591254; cv=none; b=DrQzgSencklflSBWCrduoLNtZGaCxp+PAqguVYDEqOwqh4/JGOLbedmxR3KZolmuqThAbM4bhwecXL/elo5mV2ROMxVTIA9UmtdbvXDYFAz0I+olkpw4dMzmp/7stgBBr9VTDzY9JqWUE1Y0+JgsB6XJkzzbz3l83G4wTl2jKH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591254; c=relaxed/simple; bh=4olwjdhUJV9yQf5ckjVh6vmaJyDU534e4WimvLGZEd0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PC8Rg4OyIPbPgQK/mVFY6n5Eh2JOAMT6+iIGEz/JyLpc3uKzwjhbLOo81obRaiMknJ5ayRcerPq0z6TnoTAUXrbnqQEncUrZy1LYhukv8YqIOgsFS5wuH6ZaDTJBo3FXKp7/oXDo1RcwGGyYnoI4QcYThU7Sd5gaOgzOl8GUD4U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=q4BrFZ6B; arc=none smtp.client-ip=209.85.128.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="q4BrFZ6B" Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-7c58e6eb2c8so5807827b3.1 for ; Tue, 12 May 2026 06:07:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778591252; x=1779196052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dF+t9homXAdxJUbJz+MKrPNemeLBnB/WpmMKz7l6PWU=; b=q4BrFZ6Bq/LCPbof2IuGhWOTrhZn9jEIKA6ZldUBuBNtEKnJGhD7UGDjvD6zxxgR2h pHP6NhroLwoWFAriD/RFwcvtRBPxIOPUUtVdMnrkyakWVcFY73bONDeO5b8MewusCOK9 T3aKmuVOzqR6l2FuZw5w+EAzdWDFXKhvvyro0pL040igPaqS9svVY2Y6mHAGz7LOQpgR h4mOK/aZqpfxGyiRoxy9LDD5vjBXMO9SY8KQjlv7rfnfrbiIvIChmkKmWfQ90bPusb3g iduvcCTdAAGo8UHCCyZqsG5OlyDgj3N4Tf3ZYPe9zfRjqb0HxDiMaUF0fansE4w4BSLr QEFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778591252; x=1779196052; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dF+t9homXAdxJUbJz+MKrPNemeLBnB/WpmMKz7l6PWU=; b=T1zuKzGo6RDlIzy2GrXcYemcQlSycXnhd+cU4Xm4vlxPXMnIcS8jIs+TviLVbmGqoD T7gMq2QaZxnk8s6Z125lIdB+tXpNh/F0IFxl2YLTts9U/IjFN1woHEYVxo6DHk4Wy0kR mcTuV+n88rTxkjxE6YGkGtXe6peb+InE8JBaaKVAXaQlwC+XZ2XJwg7zj9d+Vrykam8E xZTLwd0y/IghNkqCmqqFIkNnbd5p44EapmYI5ti0E2mAVf8fxykYDZWzSBzrN6tJBpuf PUDM1zo0Nw2f6wSG1vVGt81KR49ZSbPMRRaaTKn9tESEng4YT39SKeCEBA4XZ80axr7c 3gGg== X-Forwarded-Encrypted: i=1; AFNElJ9+mQkgL63HFkhE4F3Tcj6R79t+VjGqi2WDqjE6PkeHSj/vVEC6Vv1T061dXupg4dTfiWuv+25jPus7/Ls=@vger.kernel.org X-Gm-Message-State: AOJu0YyIh/HKeImFGXBrLLbawxtJBBNQ1Bfh/5dthYVTZVXXrHMvk1iH qYNnPt1g2D0+ld5lPzDXgdmY2U7l1tRVfcjp7R1sbD4fiTo+ZXNC3yPB X-Gm-Gg: Acq92OFwRIUrDLK3vvIza2plSSt3T7WG1JF2AtMXJpbydINlydNbm1bS9/R+BCoTUFt DbEcNHYqkNVttIykUjRnhMU+g06hdMWcxi466TcDaoYKSESDh6tzOO0qpbhV74AL8ZKouABj+n6 2g3ard42jgUZnXfTUkuW6WcBYiQcUxc8/HTCeThnpoQIl5IOSBS574lwtqsddpv4esRdbM4h3YY a7hzYrR7ivn6jfTJ+WPH1WHThy87Smp2Brn2g65HUXa41oCFrYH1g2bnPwL7yUr12ZGIrcwu7wA QXnfusx/Ad9aXJsJ5SCs6uDeQ6KVIMfLtyTWWi+8h1/a1uHQW/5rH1pZ40pj4ToiX0EKSkyhX5V HRnPWGQczljYRjjccVRibA3CP363geK38SAvx+mFrCZNJvrpkckdFipaydCDkVDqZEybFSyuQz1 FlulqgwK61sp3BN/gqTmj7P48q5PlbLzDU6Z3dg+Lw81Bwk0ecmSHJj8bO X-Received: by 2002:a05:690c:6612:b0:7bd:a4dc:c23b with SMTP id 00721157ae682-7c564141e00mr26031567b3.49.1778591251396; Tue, 12 May 2026 06:07:31 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd6686ead7sm167459037b3.39.2026.05.12.06.07.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:07:30 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v6 2/3] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() Date: Tue, 12 May 2026 07:07:09 -0600 Message-ID: <20260512130710.933089-3-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512130710.933089-1-sebasjosue84@gmail.com> References: <20260512130710.933089-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" afu_ioctl_dma_map() accepts a 64-bit length from userspace via DFL_FPGA_PORT_DMA_MAP ioctl without an upper bound check. The value is passed to afu_dma_pin_pages() where npages is derived as length >> PAGE_SHIFT and passed to pin_user_pages_fast() which takes int nr_pages, causing implicit truncation if length is very large. Validate map.length at the ioctl entry point before calling afu_dma_map_region(), rejecting values whose page count exceeds INT_MAX. Signed-off-by: Sebastian Alba Vives --- Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v3: - Move validation to afu_ioctl_dma_map() at the ioctl entry point. Suggested by Greg Kroah-Hartman. --- drivers/fpga/dfl-afu-main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/dfl-afu-main.c b/drivers/fpga/dfl-afu-main.c index 3bf8e7338..097a97eee 100644 --- a/drivers/fpga/dfl-afu-main.c +++ b/drivers/fpga/dfl-afu-main.c @@ -723,6 +723,9 @@ afu_ioctl_dma_map(struct dfl_feature_dev_data *fdata, v= oid __user *arg) if (map.argsz < minsz || map.flags) return -EINVAL; =20 + if (map.length >> PAGE_SHIFT > (u64)INT_MAX) + return -EINVAL; + ret =3D afu_dma_map_region(fdata, map.user_addr, map.length, &map.iova); if (ret) return ret; --=20 2.43.0 From nobody Fri Jun 12 21:38:07 2026 Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com [209.85.128.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E7E73C2BA7 for ; Tue, 12 May 2026 13:07:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591255; cv=none; b=cE/9uOcYsvmVye+mV/x42eN5yDfwt99r/fGRJT/UZEoKFLavTTMyaktnYNFcHBnzfXDbVj/Frs7IbAHw5S+JfPiYZhQi0qFwUljCKrHo1OHLndARbV5ZgZFZSVfO9slRlBmoBXy3BeGCqrRfvWHqpwbbPy+KDDido58f8164siA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591255; c=relaxed/simple; bh=052JeFXhre6eO/VYITYmvVypNbYdkagBvVoKDgWy/Lc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Phh6l2ZLzQ8aOoa4GoLUzi36tzs+C4ffDZ3zauOjlGqoT1bSrtiF3nw1zGjBGPPGtXM2kKqfM9YFoN62HO1gZgwbypUK3z6oqvuqIPBS65rw+cLa+AGDqLp6oQ36RMYjKd3bRSjkDYpwUUscYsgzB3u3tzmE+ce/cPvVe1ijK5k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jExI3swQ; arc=none smtp.client-ip=209.85.128.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jExI3swQ" Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-7c04749d739so31558097b3.3 for ; Tue, 12 May 2026 06:07:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778591253; x=1779196053; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6nxlr/Fuo3DPIglH7by58rq3oaK6PaKeNC/vr3JaVbs=; b=jExI3swQ8wa73J3X7tEPqmlPc7KkYi2RqOJAt/Jn/xigzQ2STrx9Qk3hJLPb3sPSn7 hRU452HMLvS8kcefuO+wg5FVTOzfCYbcMJJaZYQn84E3bvDK0uAO0mdSnZhlv7APMLVO nH1bf8P/6E0cxASNhS5Ba2MoM2siiTksjzFgV/NQMYQWDqZ4OsySXBjKa39j5X6U5A/e uzbkBtGwnwgteW4wu3D7SkHzwItlivZCTwSdLs/HUX+raPPs/UZz/nNhqvaJEiNxwzWo safnWN3lzojdTkS18t8ea+6e47q1Hhg58EavQQJKEDkO9L4gcPs5K7j9LA0DHkovgtTM 1VCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778591253; x=1779196053; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6nxlr/Fuo3DPIglH7by58rq3oaK6PaKeNC/vr3JaVbs=; b=HHnAfP9VURIF7DnisSHqZm2Hfv1gdbdVIuLMaBgYZpf+ixN+za6oiR81STny72zuyW 6IaRCITjQ7KikEOyTbRyiANnLga/zjU2OXQq8xcMowgt8kLPVRrLcyu56feXrmX07GKj 9dku2ZhNvRtu1LGM6MkJ8D3P+6VdE7d0a4nIBnpXl8AmAwxfXPaA7hP+jNaCnPynfwH7 9bQc+o7Mwwwooz035/gJqoVhmnKw1FT/m1jWOwn4+VXFRTnbOHtj1Wn/LJnGv8y43UTb 8TrZUsQhOtuGjWIYAfnKWvzTUyPTYv9wtmrIgnczFZTpROExMmIO+xUZN+t2HKNuW88T zouA== X-Forwarded-Encrypted: i=1; AFNElJ9Wbns5Y8oDGOG+9D0g8zQkUNlg5T9Zu9jHNXCa809/rcogy/hxvYnG1Rt5XfnC79OkM9+9E+ixXqkQZ08=@vger.kernel.org X-Gm-Message-State: AOJu0YzdboxOvcvkgoK2Ak+jaWQgOpeMLN0Ny06ITMfhOeByhQobKlJ5 9Wn5UrSRfWN6BvB5zt2INxbUjyKj+LhFGQ8PA3IVW5YMCGSnfa8C0x+X X-Gm-Gg: Acq92OHgOMk0HetCfT+5grahiFrq1RVxnAUoOqDefS7GZ1xaC2fmBfScV9JL36tROJs AhkiR07d/lREjpqfhrfxM0gZ1FbVcotJIs7USZWNwPcJy7ark2tCtegzWcnHWVG3caU9ih+nI56 XJviCniToxcZui727ZA9dAC2XXwyLBt6BYhNOmqgQDMLWaLIIYoLEGtoUBBxWXUJuHvOoGMdRex VtW94mvz6AgNNoNL/rPDEJMs18IU9ZeoB+Xidm5iq1vQibqo1rrDQlRKJWMv9+NZ3hbfF+xBN4U BnAaoxO3OcCsX4CFXY0qnIH/eH+76rMRtW1sxB19RRVFhWZjeO7uZtvxWRvtbZ7KyZG2ckZwhH3 VNmzDvmzN3Dabi/FwvQpYPxKZ+xm4vx8sbWeldsz9pUEcw8q7OC3dOyWuZ+edU3tk4QfrCDwv66 6jFzG+wvAuA9GTlF8wE3xjc8JSsE2WUjL2ji5trHN9LLnMFccV3aJFwhy3 X-Received: by 2002:a05:690c:88b:b0:79a:daf7:c4fb with SMTP id 00721157ae682-7c564333efcmr23522777b3.50.1778591253072; Tue, 12 May 2026 06:07:33 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd6686ead7sm167459037b3.39.2026.05.12.06.07.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:07:32 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v6 3/3] fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() Date: Tue, 12 May 2026 07:07:10 -0600 Message-ID: <20260512130710.933089-4-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512130710.933089-1-sebasjosue84@gmail.com> References: <20260512130710.933089-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mpf_ops_parse_header() reads header_size from the bitstream at MPF_HEADER_SIZE_OFFSET (24). When header_size is zero, the expression *(buf + header_size - 1) reads one byte before the buffer start. Since initial_header_size is set to 71 in mpf_ops, the fpga-mgr core guarantees the buffer is always large enough to reach MPF_HEADER_SIZE_OFFSE= T. The only real gap is the zero header_size case, which cannot be resolved by providing a larger buffer, so return -EINVAL. Fixes: 5f8d4a9008307 ("fpga: microchip-spi: add Microchip MPF FPGA manager") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives --- Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Drop redundant count check since initial_header_size =3D 71 already guarantees the buffer covers MPF_HEADER_SIZE_OFFSET. Suggested by Xu Yilun. --- drivers/fpga/microchip-spi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/microchip-spi.c b/drivers/fpga/microchip-spi.c index 6134cea86..cc8f6d7bb 100644 --- a/drivers/fpga/microchip-spi.c +++ b/drivers/fpga/microchip-spi.c @@ -116,6 +116,9 @@ static int mpf_ops_parse_header(struct fpga_manager *mg= r, } =20 header_size =3D *(buf + MPF_HEADER_SIZE_OFFSET); + if (!header_size) + return -EINVAL; + if (header_size > count) { info->header_size =3D header_size; return -EAGAIN; --=20 2.43.0