From nobody Mon May 25 06:42:36 2026 Received: from cvsmtppost04.nm.naver.com (cvsmtppost04.nm.naver.com [114.111.35.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE3DF2D8771 for ; Sun, 17 May 2026 06:32:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.111.35.228 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778999567; cv=none; b=lyI22I/iDOPsshdZJIQ9qS179evzVghkFCuj3RXkQxJVH3AcEPw8z6/CpBqP1D0u3Cc3nT3VdfohB/ypIEVsKqS8yMs1XUFuHkdLECw+BI8CI+ndd1W/Grxt+dOgF88yYrFROesz+2+h4pJbBEhpN7ejrXYyjyQInlV/C0xSwtY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778999567; c=relaxed/simple; bh=EUmxwMrXZ0cwf1j8lx2HZkA1cEuoNvq7xjtIstY5bQ4=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=D3Ji7GFmxgd32bz/AxwlTfWmYykJCvEwyNkWA3n6mG6MQKs/VFZzH8AoNBDelpKbXi3mczafpvZKoE7vREljxjot74Gy6id9JF0ye8Mc6W3yCuUuoVZNeKRIwtdA4ubsjTnFHe8Gl+hxro7rX2eFa4VSFqZRXok3kbpRVtgqa5M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=naver.com; spf=pass smtp.mailfrom=naver.com; dkim=pass (2048-bit key) header.d=naver.com header.i=@naver.com header.b=q5SSwdCy; arc=none smtp.client-ip=114.111.35.228 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=naver.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=naver.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=naver.com header.i=@naver.com header.b="q5SSwdCy" Received: from cvsendbo027.nm ([10.112.22.36]) by cvsmtppost04.nm.naver.com with ESMTP id fRU1gPyURVKFDVS4ovHQMw for ; Sun, 17 May 2026 06:22:36 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=naver.com; s=s20171208; t=1778998956; bh=EUmxwMrXZ0cwf1j8lx2HZkA1cEuoNvq7xjtIstY5bQ4=; h=From:To:Subject:Date:Message-Id:From:Subject:Feedback-ID: X-Works-Security; b=q5SSwdCyC2uDY8yMSfIx/AZ1g+miBICPlaHZHRO6usGRSKK+DUaxdOm/aZhBxY9fd u8fhHqRilKrxUk6ERyGvmVOmGaFNXMLfKSRSTZI8Tam2bEILreymsNoAsiK7H8o239 W0F5DO9CVN9nVLZ/Ltxlebypv4+psFPPjkRo/KN/10C42iH49PJ9AcHQDae5DDOMJA +cGZ2f5iwFGf5RUZcqmA6gTrw+TIK51EZ8F/5auikf2lfo34aXe/OtCoZ6I7v3cTnb dZVTDcUhu470upou8elTk4N2ulwJQ6nHTdO0GeCZRGYST5DBgWnm8qV+bQwFtqlNkN HavKLWG9yjOFA== X-Session-ID: x5c5JD1aQqKZhmW--jKxrw X-Works-Send-Opt: pQb/jAJYjHmdKoUqFxJYaAU/aHwtxBmwjAg= X-Works-Smtp-Source: zdnrax2XFqJZ+HmrFxEr+6E= Received: from DESKTOP-PE9G5L9.localdomain ([1.219.165.140]) by cvnsmtp004.nm.naver.com with ESMTP id x5c5JD1aQqKZhmW--jKxrw for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Sun, 17 May 2026 06:22:36 -0000 From: Heechan Kang To: Brett Creeley , Jason Gunthorpe Cc: Dave Jiang , Saeed Mahameed , Jonathan Cameron , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Heechan Kang Subject: [PATCH] fwctl: pds: Validate RPC input size before parsing Date: Sun, 17 May 2026 15:22:32 +0900 Message-Id: <20260517062232.1858747-1-gganji11@naver.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The fwctl core allocates the device-specific RPC input buffer with fwctl_rpc.in_len and passes that buffer to the driver callback. pdsfc_fw_rpc() casts the buffer to struct fwctl_rpc_pds and then calls pdsfc_validate_rpc(), which reads fields from that structure before checking that the input buffer is large enough to contain it. A short in_len can make pds_fwctl read beyond the allocation. Reject pds RPC buffers that are smaller than struct fwctl_rpc_pds before parsing any pds-specific fields. Fixes: 92c66ee829b9 ("pds_fwctl: add rpc and query support") Cc: stable@vger.kernel.org # v6.15+ Signed-off-by: Heechan Kang Reviewed-by: Dave Jiang --- drivers/fwctl/pds/main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fwctl/pds/main.c b/drivers/fwctl/pds/main.c index 08872ee8422f..68fe254dd10a 100644 --- a/drivers/fwctl/pds/main.c +++ b/drivers/fwctl/pds/main.c @@ -362,6 +362,9 @@ static void *pdsfc_fw_rpc(struct fwctl_uctx *uctx, enum= fwctl_rpc_scope scope, void *out =3D NULL; int err; =20 + if (in_len < sizeof(*rpc)) + return ERR_PTR(-EINVAL); + err =3D pdsfc_validate_rpc(pdsfc, rpc, scope); if (err) return ERR_PTR(err); --=20 2.34.1