drivers/staging/vme_user/vme_user.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
The VME_SET_SLAVE ioctl in drivers/staging/vme_user/vme_user.c accepts
a user-controlled slave.size and forwards it to vme_slave_set() without
comparing it against image[minor].size_buf. The slave-image kernel
buffer is allocated at probe time with a fixed size of PCI_BUF_SIZE
(0x20000 / 128 KiB), but the configured VME window size can be made
much larger via the ioctl.
Additionally, a slave.size of 0 is permitted, which causes vme_get_size()
to return 0. In vme_user_read() and vme_user_write(), the boundary check
(*ppos > image_size - 1) suffers from an integer underflow because
image_size is size_t. This bypasses the bounds check entirely, allowing
offsets beyond the actual allocation.
Result: a local user with read/write access to /dev/bus/vme/s* can
trigger out-of-bounds read and write of the kernel slab adjacent to
the slave-image buffer.
Fix: reject slave.size == 0 and slave.size > size_buf in the VME_SET_SLAVE
handler. With this check in place, the existing bounds checks in
vme_user_read() / vme_user_write() against vme_get_size() are
sufficient to prevent OOB access.
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Rion Kiguchi <kiguchi.r.sec@gmail.com>
---
Changes in v4:
- Add check for slave.size == 0 to prevent integer underflow in bounds check.
- Remove trailing whitespaces inadvertently added in previous versions.
- Remove Fixes and Cc: stable tags to resolve checkpatch warnings based on maintainer feedback.
Changes in v3:
- Drop redundant checks in buffer_to_user() / buffer_from_user();
the existing vme_get_size()-based bounds checks in vme_user_read()
/ vme_user_write() are sufficient once VME_SET_SLAVE rejects
oversized windows.
Changes in v2:
- Use git send-email instead of Gmail web compose.
- Drop redundant Reported-by tag.
- Add Assisted-by tag.
drivers/staging/vme_user/vme_user.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/staging/vme_user/vme_user.c b/drivers/staging/vme_user/vme_user.c
index 11e25c2f6..ba4c9a6d0 100644
--- a/drivers/staging/vme_user/vme_user.c
+++ b/drivers/staging/vme_user/vme_user.c
@@ -394,6 +394,16 @@ static int vme_user_ioctl(struct inode *inode, struct file *file,
return -EFAULT;
}
+ /*
+ * Reject window sizes larger than the kernel buffer
+ * allocated at probe time, otherwise subsequent
+ * read/write would access memory beyond kern_buf.
+ * Also reject size == 0 to prevent integer underflow
+ * in the boundary check (*ppos > image_size - 1).
+ */
+ if (slave.size == 0 || slave.size > image[minor].size_buf)
+ return -EINVAL;
+
/* XXX We do not want to push aspace, cycle and width
* to userspace as they are
*/
--
2.43.0On Thu, May 14, 2026 at 12:45:10PM +0900, Rion Kiguchi wrote: > The VME_SET_SLAVE ioctl in drivers/staging/vme_user/vme_user.c accepts > a user-controlled slave.size and forwards it to vme_slave_set() without > comparing it against image[minor].size_buf. The slave-image kernel > buffer is allocated at probe time with a fixed size of PCI_BUF_SIZE > (0x20000 / 128 KiB), but the configured VME window size can be made > much larger via the ioctl. > > Additionally, a slave.size of 0 is permitted, which causes vme_get_size() > to return 0. In vme_user_read() and vme_user_write(), the boundary check > (*ppos > image_size - 1) suffers from an integer underflow because > image_size is size_t. This bypasses the bounds check entirely, allowing > offsets beyond the actual allocation. > > Result: a local user with read/write access to /dev/bus/vme/s* can > trigger out-of-bounds read and write of the kernel slab adjacent to > the slave-image buffer. > > Fix: reject slave.size == 0 and slave.size > size_buf in the VME_SET_SLAVE > handler. With this check in place, the existing bounds checks in > vme_user_read() / vme_user_write() against vme_get_size() are > sufficient to prevent OOB access. > > Assisted-by: Claude:claude-opus-4-7 > Signed-off-by: Rion Kiguchi <kiguchi.r.sec@gmail.com> > --- > Changes in v4: > - Add check for slave.size == 0 to prevent integer underflow in bounds check. > - Remove trailing whitespaces inadvertently added in previous versions. > - Remove Fixes and Cc: stable tags to resolve checkpatch warnings based on maintainer feedback. Please see the review comments: https://sashiko.dev/#/patchset/20260514034511.4244-1-kiguchi.r.sec@gmail.com
© 2016 - 2026 Red Hat, Inc.