1. Patchew
  2. linux
  3. View series

[PATCH] fwctl: pds: Validate RPC input size before parsing

Heechan Kang posted 1 patch 1 week ago 
drivers/fwctl/pds/main.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] fwctl: pds: Validate RPC input size before parsing
Posted by Heechan Kang 1 week ago 
The fwctl core allocates the device-specific RPC input buffer with
fwctl_rpc.in_len and passes that buffer to the driver callback.

pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls
pdsfc_validate_rpc(), which reads fields from that structure before
checking that the input buffer is large enough to contain it. A short
in_len can make pds_fwctl read beyond the allocation.

Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before
parsing any pds-specific fields.

Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support")
Cc: stable@vger.kernel.org # v6.15+
Signed-off-by: Heechan Kang <gganji11@naver.com>
---
 drivers/fwctl/pds/main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/fwctl/pds/main.c b/drivers/fwctl/pds/main.c
index 08872ee8422f..68fe254dd10a 100644
--- a/drivers/fwctl/pds/main.c
+++ b/drivers/fwctl/pds/main.c
@@ -362,6 +362,9 @@ static void *pdsfc_fw_rpc(struct fwctl_uctx *uctx, enum fwctl_rpc_scope scope,
 	void *out = NULL;
 	int err;
 
+	if (in_len < sizeof(*rpc))
+		return ERR_PTR(-EINVAL);
+
 	err = pdsfc_validate_rpc(pdsfc, rpc, scope);
 	if (err)
 		return ERR_PTR(err);
-- 
2.34.1
Re: [PATCH] fwctl: pds: Validate RPC input size before parsing
Posted by Jason Gunthorpe 5 days, 15 hours ago 
On Sun, May 17, 2026 at 03:22:32PM +0900, Heechan Kang wrote:
> The fwctl core allocates the device-specific RPC input buffer with
> fwctl_rpc.in_len and passes that buffer to the driver callback.
> 
> pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls
> pdsfc_validate_rpc(), which reads fields from that structure before
> checking that the input buffer is large enough to contain it. A short
> in_len can make pds_fwctl read beyond the allocation.
> 
> Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before
> parsing any pds-specific fields.
> 
> Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support")
> Cc: stable@vger.kernel.org # v6.15+
> Signed-off-by: Heechan Kang <gganji11@naver.com>
> ---
>  drivers/fwctl/pds/main.c | 3 +++
>  1 file changed, 3 insertions(+)

Applied to for-rc, thanks

Jason
Re: [PATCH] fwctl: pds: Validate RPC input size before parsing
Posted by Creeley, Brett 6 days, 11 hours ago 

On 5/16/2026 11:22 PM, Heechan Kang wrote:
> [You don't often get email from gganji11@naver.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> Caution: This message originated from an External Source. Use proper caution when opening attachments, clicking links, or responding.
>
>
> The fwctl core allocates the device-specific RPC input buffer with
> fwctl_rpc.in_len and passes that buffer to the driver callback.
>
> pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls
> pdsfc_validate_rpc(), which reads fields from that structure before
> checking that the input buffer is large enough to contain it. A short
> in_len can make pds_fwctl read beyond the allocation.
>
> Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before
> parsing any pds-specific fields.
>
> Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support")
> Cc: stable@vger.kernel.org # v6.15+
> Signed-off-by: Heechan Kang <gganji11@naver.com>
> ---
>   drivers/fwctl/pds/main.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/drivers/fwctl/pds/main.c b/drivers/fwctl/pds/main.c
> index 08872ee8422f..68fe254dd10a 100644
> --- a/drivers/fwctl/pds/main.c
> +++ b/drivers/fwctl/pds/main.c
> @@ -362,6 +362,9 @@ static void *pdsfc_fw_rpc(struct fwctl_uctx *uctx, enum fwctl_rpc_scope scope,
>          void *out = NULL;
>          int err;
>
> +       if (in_len < sizeof(*rpc))
> +               return ERR_PTR(-EINVAL);
> +

LGTM. Thanks for the fix.

Brett
>          err = pdsfc_validate_rpc(pdsfc, rpc, scope);
>          if (err)
>                  return ERR_PTR(err);
> --
> 2.34.1
>
Re: [PATCH] fwctl: pds: Validate RPC input size before parsing
Posted by Dave Jiang 6 days, 14 hours ago 

On 5/16/26 11:22 PM, Heechan Kang wrote:
> The fwctl core allocates the device-specific RPC input buffer with
> fwctl_rpc.in_len and passes that buffer to the driver callback.
> 
> pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls
> pdsfc_validate_rpc(), which reads fields from that structure before
> checking that the input buffer is large enough to contain it. A short
> in_len can make pds_fwctl read beyond the allocation.
> 
> Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before
> parsing any pds-specific fields.
> 
> Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support")
> Cc: stable@vger.kernel.org # v6.15+
> Signed-off-by: Heechan Kang <gganji11@naver.com>

Reviewed-by: Dave Jiang <dave.jiang@intel.com>

> ---
>  drivers/fwctl/pds/main.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/fwctl/pds/main.c b/drivers/fwctl/pds/main.c
> index 08872ee8422f..68fe254dd10a 100644
> --- a/drivers/fwctl/pds/main.c
> +++ b/drivers/fwctl/pds/main.c
> @@ -362,6 +362,9 @@ static void *pdsfc_fw_rpc(struct fwctl_uctx *uctx, enum fwctl_rpc_scope scope,
>  	void *out = NULL;
>  	int err;
>  
> +	if (in_len < sizeof(*rpc))
> +		return ERR_PTR(-EINVAL);
> +
>  	err = pdsfc_validate_rpc(pdsfc, rpc, scope);
>  	if (err)
>  		return ERR_PTR(err);

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.