[v8] fpga: bounds checks and input validation fixes

[PATCH v8 0/3] fpga: bounds checks and input validation fixes

Sebastian Alba Vives posted 3 patches 6 days, 8 hours ago

Diff against v6 v7
Download series mbox

drivers/fpga/dfl-afu-main.c  | 3 +++
drivers/fpga/dfl.c           | 2 ++
drivers/fpga/microchip-spi.c | 3 +++
3 files changed, 8 insertions(+)

Expand all Fold all

[PATCH v8 0/3] fpga: bounds checks and input validation fixes

Posted by Sebastian Alba Vives 6 days, 8 hours ago

This series adds three defensive fixes to FPGA drivers:

Patch 1/3 fixes dfh_get_param_size() in the DFL driver where the loop
bounds check is evaluated before incrementing size, potentially returning
an inflated size that exceeds the feature region boundary.

Patch 2/3 validates the DMA mapping length in afu_ioctl_dma_map() at the
ioctl entry point before passing it down the call chain, preventing
implicit integer truncation in pin_user_pages_fast().

Patch 3/3 fixes mpf_ops_parse_header() in the Microchip SPI FPGA manager
where a zero header_size from the bitstream causes a one-byte read before
the buffer start.

Sebastian Alba Vives (3):
  fpga: dfl: add bounds check in dfh_get_param_size()
  fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
  fpga: microchip-spi: fix zero header_size OOB read in
    mpf_ops_parse_header()

 drivers/fpga/dfl-afu-main.c  | 3 +++
 drivers/fpga/dfl.c           | 2 ++
 drivers/fpga/microchip-spi.c | 3 +++
 3 files changed, 8 insertions(+)

-- 
2.43.0