From nobody Mon May 25 04:33:59 2026 Received: from mail-yx1-f49.google.com (mail-yx1-f49.google.com [74.125.224.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7338B390205 for ; Mon, 18 May 2026 19:08:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779131283; cv=none; b=Az6e6y4FKDWEZL0zAqPlNkl9rXi2K2xC0X9pNN4jxrs2thMqymO2oklZI8ClKZCQiRAIAJ0nzatRhGC68CPjuoMNVCLfikyBKED+vPYCl11DUmEEfwXIIbQZPNKrOn5Fcrb9y2/PXGufmb9ipije/h/bJNYe4m2aOYIZPqlGoQA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779131283; c=relaxed/simple; bh=lr/Il1RBfm+qfe8Cae/ztCEpMom3cE9zLIvaGjdLVQc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PpSSEZUAnkHmj0Tvl47CGF6F1pGvJjWD3vcPx4U2XLGv/rJjfGHzZSyrw7T8MKCnQW/1k79/LSIzxp9kgrkFvwIsKIyYnUGnrzeO0jzwQrsUJRHbjjNExDp0Md9KmXEv19wkwy9MhZ7fCDMuvuBh+EnHH2p7v/r8O4/mhjKsX+k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZQLMv2vJ; arc=none smtp.client-ip=74.125.224.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZQLMv2vJ" Received: by mail-yx1-f49.google.com with SMTP id 956f58d0204a3-651c5d525f6so2747693d50.3 for ; Mon, 18 May 2026 12:08:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779131281; x=1779736081; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EBDXdrLaiJs5mJCkZrMnLOovecApXs5qp8DhmlH8DV4=; b=ZQLMv2vJV6e7TEn0C29mqs3kXyWUO0kZyvS5woroyiWejXY7rUwIRpMUE4mf2tG0lC NUcPY/TkBxe9B5qfOUKCwniQBnPlXuOu0fuM8GeDf1gIPF9RsHe62uR42OiU1RCC3EfM ZpafBQC+AARdBj+gIJmP9dOJ7j+1ESfoa/khA99ZD3w6boT+jZxaxrIiM4Zhqw88wcLL 4RkmWqMDCYKP3cdEfoRnaxDcuM8pC1GMZHSROtk2ipSLYfEWLp9Fw6tWvZf2r0YcpYwr TjwdkQoyPFCtZANxiQ30pIBaYhtneedlJvYfqNf1ia2+oDL7FwWnQrBSueJzbH70Wlnx Sgsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779131281; x=1779736081; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=EBDXdrLaiJs5mJCkZrMnLOovecApXs5qp8DhmlH8DV4=; b=TOaAhCsXjF58bLVGaj7Wynfyb5KEEVdeCREj6l5/ZNSHPNpt6R765bVzmzIoa2efXo BIEhl6OFV6pBsKrI/x8UwhBTKidviRmVSXnmFhJWB4S7LsYrAzC4TQIEK4OLDge4o1/+ NHUg4baQpfJ5GiXE14jZToqFCL542U7f7QNfcUcGGJ7jBVIWP2XQmQLZAauzTsU/p2zE zyl9BFGKHghxZi6JxQgYsCXSCkYwrqi1gSUjt0SgZfZqK5QZwqNvVmHtXhElg6Ruq8a7 lZSk+UbK0zXNXCUF3QZ5G1dyKmEKK1eytcHZcvDm7P0J844Z2sHnkqQ6jRcTJr5h5vTf bNTg== X-Forwarded-Encrypted: i=1; AFNElJ8RJGdaNBWbSnVp9A+xjQ/plVFcVeAdQX4hxrU7MwftdNxahlkv47VuSpNbVC7YyvCTuQsPqYZSLFiDKnw=@vger.kernel.org X-Gm-Message-State: AOJu0YxIS6Iy+9SztdGd/Px4rFk27Ghs3QnYdMoH1aiNEecNSX7XgEVn VDi13ii27W+98zh1SVEbVgHst6f95pMezF5zly+806UipppZ37rcHZOH X-Gm-Gg: Acq92OF9KQstCglvK6SXbLOa7ut3wan19wXMNahl0UfToC7TGfEuvOkYp8+oCg9s1Fj rn9P2o/JjCn1gg/HQ0HnJ390FirwQ965sHj29s0bMMoiYGtHOyGZBcKiedASSZ3odiYt5Zpx8GY D3oqI96Dngn53KbsPzdJ/zuOZuPlPE7dl4CLvc40fh+ozg1WJHbrrWf9Cc0qE7jQVr2OdFYRI5e Y4P1/A83g/IlfxWzd4GKZoQuRVhvuVMpwndruJ+NAcywcuGJly1/TxhgVgYbvN5RZ9PLozf9wEV Z/EwWMiE7cPeBCrZrvwWlVRyHCFsTgEfvLwksbWPawP1/fL/bg5j74SeTVWtL3ESF8s44vqVSAY VfPNpL5gZGEzs/YIFIsrZDZBNDIyHH6q8j8O7hw7WLg2Ur4sx0r1FwtvNuWZXuAiS2fg0ZzWbVc m2dbvvxuththhfg6jOMz956wMLx8kqqvX49VMFTmLDzUJvrJr1u/Am8XSrwYKlHOdJzhW7VcfKj /SIK2+tYJq1AdwKidpuShDUyTw= X-Received: by 2002:a53:d045:0:10b0:651:c734:ed4b with SMTP id 956f58d0204a3-65e22686be3mr13638970d50.2.1779131281317; Mon, 18 May 2026 12:08:01 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65e0db0b11esm6766160d50.11.2026.05.18.12.07.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 12:08:00 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v8 1/3] fpga: dfl: add bounds check in dfh_get_param_size() Date: Mon, 18 May 2026 13:07:40 -0600 Message-ID: <20260518190742.61426-2-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518190742.61426-1-sebasjosue84@gmail.com> References: <20260518190742.61426-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dfh_get_param_size() can return a parameter size larger than the feature region because the loop bounds check is evaluated before incrementing size. If the EOP (End of Parameters) bit is set in the same iteration, the inflated size is returned without re-validation against max. This can cause create_feature_instance() to call memcpy_fromio() with a size exceeding the ioremap'd region when a malicious FPGA device provides crafted DFHv1 parameter headers. Add a bounds check after the size increment to ensure the accumulated size never exceeds the feature boundary. Fixes: 4747ab89b4a6 ("fpga: dfl: add basic support for DFHv1") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives --- Changes in v8: - Add Cc: stable tag. Reported by Greg Kroah-Hartman. Changes in v7: - Correct the Fixes: tag commit hash (checkpatch). Reported by Xu Yilun. Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Add blank line after the new bounds check. Suggested by Xu Yilun. --- drivers/fpga/dfl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c index 4087a36a0..4c63c7c85 100644 --- a/drivers/fpga/dfl.c +++ b/drivers/fpga/dfl.c @@ -1132,6 +1132,8 @@ static int dfh_get_param_size(void __iomem *dfh_base,= resource_size_t max) return -EINVAL; =20 size +=3D next * sizeof(u64); + if (size > max) + return -EINVAL; =20 if (FIELD_GET(DFHv1_PARAM_HDR_NEXT_EOP, v)) return size; --=20 2.43.0 From nobody Mon May 25 04:33:59 2026 Received: from mail-yx1-f45.google.com (mail-yx1-f45.google.com [74.125.224.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E93943909B7 for ; Mon, 18 May 2026 19:08:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779131285; cv=none; b=F50QME3+0D+xn1jdOAcHNmex1naj7m6iEawXopQt8RQDiLHsYx7XxAkg+uvKlFoQbr71rowadXZ83CBGjRupdEbcqOvVe9BCZeLT5QHKYym9H/QEkcAUzBdOcAmZ2nVeUrAmFEmyoqmiykFo6q1/dauC1xA5TzTDg2PsCwJd0Rs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779131285; c=relaxed/simple; bh=cyubYiPMoczepqR7H+hZPOJL+jDn0Z9aHj+sP8Kujlc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AMTpEf0S55aGtOxb2NNA79Of3bmFKCzin1R0jWEzzaFAjjuIJLT12dinEU1Rf/z+5aPqGnPU9SUSq3KJm5PyNBSHj5+AMgkuP2uOD8dOtHxVupHtibyHG4+5VJtqGaqxBOgoLZp37+QRe4D9nPDGVoc9lYeTyOqR/urw5+vlV8w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=qNThfi+9; arc=none smtp.client-ip=74.125.224.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qNThfi+9" Received: by mail-yx1-f45.google.com with SMTP id 956f58d0204a3-65dead17c24so2477673d50.2 for ; Mon, 18 May 2026 12:08:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779131283; x=1779736083; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=I7T0H8dfncXmprC9fFYzqugkaZEoxcqSE96XurOHhvI=; b=qNThfi+9lnMXXFDlJdZa+xEqovyClsnwI2Pl6/vrk6DIKNDz96EI1BzCieKv64ZW73 VN+e5DkPFt3WK8ImevzuSoGpStLQTiclntCTtDiw1YVm4MD6DkBXho+GGjBI2XP5Swn8 egn6OucTRwGX96aCCXfSkSO4K+AmWI2GP79l1IqNUL7nEPWSQNChOv3olKP8ZrDZFM8q XhA77bBpSga6LVmzL6ph9+ouVDLIrM5FQyhwtOeDdmvpOa1CJ4MVefeu87ss8YijD9Cq lzEI1owedC/dvxYdz1TEqiv9ZhQfea2VJOyziHUveqxwEMDo/RJOZgvwLDEGZYehLmhw 4sCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779131283; x=1779736083; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=I7T0H8dfncXmprC9fFYzqugkaZEoxcqSE96XurOHhvI=; b=K26xWAkxjxEjzJW0SPE/fbPoLXrZ3zHlRpp8AgtuTVQO7tqJfaeD1UF5w11cg6cCYI wmqnzJoEm3J2ZfZheri1wBK3ZYdG04LBg/GMmgNujLPkO+VFD5HO6poj3geHGKvYXOJa cS78BmGBjAD9q1ghPYxJZNCyni4UnWGRXXf90injEBTIpWi7FqelCmq8E4APzoaiggBN L2xjx55CrWVgAg5Iq6Xx7vBBzeS5XNXSPGG8WyJ+aYyGAuWLnVbsm3I7yUuqEhWtSCAt Qyh9LTPXswXeBQn1nFgNLJySuftw0WPauKml2W7PXNGW/1FGCC/49CwyxFZMut3rgAUN JWBg== X-Forwarded-Encrypted: i=1; AFNElJ9AK6/FplhaisVBJdvTNDu4hoV7kSkH0UmZD7tu21sJec3EJlGZ0/F+2QjEkbvemMxyNIdnKIDkSLGdHNk=@vger.kernel.org X-Gm-Message-State: AOJu0YwytGLx3daRdXbj1G0SIaqTcyMQwZeD3GXyBUxl3gEAGIhuiRn2 GZJGgPSmp7ICHGlP7L6z+khVfqKZb9J2xY+U/5wGDwib/37h2LjrzQWf X-Gm-Gg: Acq92OFG8a9rpBUki/AG6THtcXpVBFiCNr683YrsRm3nMxHMm+/S5WXsAGbso5NE5aj yKeNOI76I1a9yj2BmFoq6SzJ4D4rLGaBHF6KzKU02I0QQOuMiE8W0LP+jUzI8KSA+4rHrTc7LIr w5TEPU725FyKKa51QVRwrjAEX/1y3IC6RY5zgtkPEEVJG4+vGDF3W51lwDuKKPetTGiOgAd3tuX Oe49MNoW8xfHy0SA+HHAUYJgDGeua9r6HT+2ZhLUgDjIPMc9/CtMnzQEtCNO86kV+5f5HwWpIKR 4ch1Sq1JQHz/GBqVedgP/8I7ZSU/0fUwK1fwiIKgWgC0oEpfsXA8SOAV9pUAP5/TdERkCMrMeAd u+Eru5mci6lbuVLhCRrW+mJcQIAni2IfZhAIuGOm96pvH7Ae82iQvk0lSQJ2HVqAJiUjPE4hY0Q Nsv3lU/z2If6vhKPHhdx57LR6fm9g0FfGcPFzw9aKpCaXmvNArsuj5PwCncXbFddWTJYEX6yTU4 jtFaGXcKKYy9vj1 X-Received: by 2002:a05:690e:4409:10b0:650:18fc:f557 with SMTP id 956f58d0204a3-65e2285bec6mr14123598d50.56.1779131282796; Mon, 18 May 2026 12:08:02 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65e0db0b11esm6766160d50.11.2026.05.18.12.08.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 12:08:02 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v8 2/3] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() Date: Mon, 18 May 2026 13:07:41 -0600 Message-ID: <20260518190742.61426-3-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518190742.61426-1-sebasjosue84@gmail.com> References: <20260518190742.61426-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" afu_ioctl_dma_map() accepts a 64-bit length from userspace via DFL_FPGA_PORT_DMA_MAP ioctl without an upper bound check. The value is passed to afu_dma_pin_pages() where npages is derived as length >> PAGE_SHIFT and passed to pin_user_pages_fast() which takes int nr_pages, causing implicit truncation if length is very large. Validate map.length at the ioctl entry point before calling afu_dma_map_region(), rejecting values whose page count exceeds INT_MAX. Fixes: fa8dda1edef9 ("fpga: dfl: afu: add DFL_FPGA_PORT_DMA_MAP/UNMAP ioctl= s support") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives --- Changes in v8: - Add Fixes: and Cc: stable tags. Reported by Greg Kroah-Hartman. Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v3: - Move validation to afu_ioctl_dma_map() at the ioctl entry point. Suggested by Greg Kroah-Hartman. --- drivers/fpga/dfl-afu-main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/dfl-afu-main.c b/drivers/fpga/dfl-afu-main.c index 3bf8e7338..097a97eee 100644 --- a/drivers/fpga/dfl-afu-main.c +++ b/drivers/fpga/dfl-afu-main.c @@ -723,6 +723,9 @@ afu_ioctl_dma_map(struct dfl_feature_dev_data *fdata, v= oid __user *arg) if (map.argsz < minsz || map.flags) return -EINVAL; =20 + if (map.length >> PAGE_SHIFT > (u64)INT_MAX) + return -EINVAL; + ret =3D afu_dma_map_region(fdata, map.user_addr, map.length, &map.iova); if (ret) return ret; --=20 2.43.0 From nobody Mon May 25 04:33:59 2026 Received: from mail-yx1-f49.google.com (mail-yx1-f49.google.com [74.125.224.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C20A391826 for ; Mon, 18 May 2026 19:08:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779131286; cv=none; b=XDzqgDNFaD2Z3W5l4GrCPrt6MBHzSR+hG45Gp9qd1Vq1NWbBvY2dtJdFNMUPRjwit7sDhZKPmJsuFwgKJkKjFOfnWf3ACQWUIIedVBXeKQt/s2iAgq3opgZwfyL9+3g22pkNQj2Rja4svFI76ByPj55MZxVGaZtauQjMg67lOwY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779131286; c=relaxed/simple; bh=OrL3+x1tcgdp6L7F08VxJfvF3uGmnc+Qbsj9WOcFBI0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R+9PDNv+uGfEWQ4CQg9ZM81/RB9Cpz0bU0GRg7EDF8b/rRP+0jxZm5VEy0nUFIfb99ubmGL01XLv2Gb5Vg+cTNXZBQPjTaRHq1mMCsr75xGd5W7gLhnPu0FxYf+VnnFMzY7zMtEgb68BfqCfsFKkjiBbW/VDRUPqVacXsP+NmYg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VZuMABIv; arc=none smtp.client-ip=74.125.224.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VZuMABIv" Received: by mail-yx1-f49.google.com with SMTP id 956f58d0204a3-65318dafbcbso2621873d50.2 for ; Mon, 18 May 2026 12:08:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779131284; x=1779736084; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ygoe/8YI/F9vvMO0U7oDJ387wljZe6nsikPiQPuzlSg=; b=VZuMABIvBw4LZZmsjLk22c86RyG3EE1ru0uc+d8CAMnhMyF/3R2SaRNge/ttHytNlZ mDYg+hZgRM0LXco2MwdD/vk+aRCHaDi3jF5Wqb8ur9CP30ElYaJUFfZUIfLcPC2e4I/P GM74eM6V5h5tm6NOlwlekOC0iUw8suGyaA9TkNOvm6WVmulfEJ2QyBpRqSzDRgmqq8H3 toNTt4/eUC9GKX+5jZoGunodmAebkGuabc2X5qpoX/ZNJKUuOBpJMNpCV2w6JlySJsv4 A9+f4WrCfjPx2pOvwuQ610SijPSifCmy7rPi6h1po2O5dX0O9bjYOQdHirGfsz84MMwT y2KA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779131284; x=1779736084; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ygoe/8YI/F9vvMO0U7oDJ387wljZe6nsikPiQPuzlSg=; b=s9VXGKZYBRd0td+m3NVPqL3hBc9dGXhcC/vu1cJxU2+BaBjPJXjHHmSlzu3GVUZ2YK 6pSwys1vxJoMet2JmBqhXENMkt3/uYCRO2sHbpwvPZEPpIKKkVcB+7cv4C0ANCfsWwHL Yguo+FJSJV5eowK0yFTqs2npJovEjEwKzt1dbVbNfVWgpnss9GW7xpBHJ1ehw/GwHwAX HMGj1GBKhh25Nes9eWd+0gzVehwuRQt9hnVoKri3I4qxq6NlyHQdw06FPWNPV7ttLbyj bJhuvhPVTotHCA3R5Ye2/moK+RC1ZbRqjKPE9xlHimpLyCzyfGz2NTKc3Bg5HYJno+6h MQcg== X-Forwarded-Encrypted: i=1; AFNElJ8J1rk4Nc4dSatNRE9XUFiUFPCWn1Fw/rqFzwTwFjJVu6MS4r1hAE7iqeZ9b6WZEVBZrXNBKX9CnhDtnk0=@vger.kernel.org X-Gm-Message-State: AOJu0YwkrYEB9941JoGk0ZaJjbPxUHqh2Dy34Q3l2XDWJcqRgA6tapbW 0lZT+2AW0RBVqb79rL43a2EoVqN1K0ff7uv0EH40Rx2mkXMAVoAnmUHI X-Gm-Gg: Acq92OHezRYQH8M8vvfSrc+wK6099gYrAT8aKPmQRaNM2nGLEX7L9o6Fk7Vtf2GFu2O R940yH0dLAZm/5GfrKW1wWU6OhGF3N9fqEKArHR+aKIT0k3yy8mYvoGo3F+qQsFI4w2Nbq4hMWN HxzW1KHHCl2wb0L/Y2rAhaTjopdo9d0Rd83MNl1T20QRaSgmfCFsvGUmYEKFLc/MN3GRJjar7Fi iBXGgfAUYO+b7HKHvQXiCCaHS9Tp65w1LbLBepPZdnBrM7oWRPWhsNpQKYL0BtRlGKkgyuTsMIw dn2SzdxGI7Dn8wKssCPVNQBvL/FBBMpzFIJOOANcj8cedKd7UxHI2VkSEvpe0CohdQW2aRxa2YK dDfd7z29EaFV069CcL+jNWlb1DfBkrNv2TYMv39hKlWFE2/iZGWbZTij7Lxn8JZ+tuz2xg31AOi I+4b9vmIVC6RJ6lmL14ju5MDdQT1eJMxIcgE9NFHtfUS9tLjtgzU2btBQ0GI6yjdkmCGmeXvdsx efdSMvb3rESUieq X-Received: by 2002:a05:690e:c47:b0:65e:43a2:82ae with SMTP id 956f58d0204a3-65e43a28920mr9545838d50.57.1779131284347; Mon, 18 May 2026 12:08:04 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65e0db0b11esm6766160d50.11.2026.05.18.12.08.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 12:08:03 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v8 3/3] fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() Date: Mon, 18 May 2026 13:07:42 -0600 Message-ID: <20260518190742.61426-4-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518190742.61426-1-sebasjosue84@gmail.com> References: <20260518190742.61426-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mpf_ops_parse_header() reads header_size from the bitstream at MPF_HEADER_SIZE_OFFSET (24). When header_size is zero, the expression *(buf + header_size - 1) reads one byte before the buffer start. Since initial_header_size is set to 71 in mpf_ops, the fpga-mgr core guarantees the buffer is large enough to reach MPF_HEADER_SIZE_OFFSET. The only real gap is the zero header_size case, which cannot be resolved by providing a larger buffer, so return -EINVAL. Fixes: 5f8d4a900830 ("fpga: microchip-spi: add Microchip MPF FPGA manager") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives --- Changes in v8: - No changes. Changes in v7: - Correct the Fixes: tag commit hash and wrap commit message at 75 columns (checkpatch). Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Drop redundant count check since initial_header_size =3D 71 already guarantees the buffer covers MPF_HEADER_SIZE_OFFSET. Suggested by Xu Yilun. --- drivers/fpga/microchip-spi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/microchip-spi.c b/drivers/fpga/microchip-spi.c index 6134cea86..cc8f6d7bb 100644 --- a/drivers/fpga/microchip-spi.c +++ b/drivers/fpga/microchip-spi.c @@ -116,6 +116,9 @@ static int mpf_ops_parse_header(struct fpga_manager *mg= r, } =20 header_size =3D *(buf + MPF_HEADER_SIZE_OFFSET); + if (!header_size) + return -EINVAL; + if (header_size > count) { info->header_size =3D header_size; return -EAGAIN; --=20 2.43.0