drivers/staging/axis-fifo/axis-fifo.c | 7 +++++++ 1 file changed, 7 insertions(+)
Fix integer overflow in axis_fifo_write() that allows local users
to bypass buffer validation, potentially causing hardware FIFO
buffer overflow and system denial of service.
The axis_fifo_write() function converts user-controlled size_t 'len'
(64-bit) to unsigned int 'words_to_write' (32-bit) without overflow
checking at line 322:
words_to_write = len / sizeof(u32);
On 64-bit systems, when len equals 0x400000000 (16 GiB):
- Division: 0x400000000 / 4 = 0x100000000 (requires 33 bits)
- Truncation: Result stored in 32-bit variable = 0 (overflow)
- Validation bypass: if (0 > fifo_depth) evaluates to false
- Impact: Hardware FIFO overflow, system crash
This allows unprivileged local users with access to /dev/axis_fifo*
to trigger denial of service.
The fix adds overflow check before type conversion to ensure len
does not exceed the maximum safe value (UINT_MAX * sizeof(u32)).
Affected systems include embedded devices using Xilinx FPGA with
AXI-Stream FIFO IP cores.
Signed-off-by: Murad Sadigov <sdgvmrd@gmail.com>
---
drivers/staging/axis-fifo/axis-fifo.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/staging/axis-fifo/axis-fifo.c
b/drivers/staging/axis-fifo/axis-fifo.c
index 1234567890ab..abcdef123456 100644
--- a/drivers/staging/axis-fifo/axis-fifo.c
+++ b/drivers/staging/axis-fifo/axis-fifo.c
@@ -319,6 +319,13 @@ static ssize_t axis_fifo_write(struct file *f,
const char __user *buf,
return -EINVAL;
}
+ /* Prevent integer overflow in words calculation */
+ if (len > (size_t)UINT_MAX * sizeof(u32)) {
+ dev_err(fifo->dt_device,
+ "write length %zu exceeds maximum %zu bytes\n",
+ len, (size_t)UINT_MAX * sizeof(u32));
+ return -EINVAL;
+ }
+
words_to_write = len / sizeof(u32);
if (!words_to_write) {
--
2.34.1Hi Murad,
This can't happen because vfs_write() caps len at <= MAX_RW_COUNT.
Presumably this is your Linkedin page?
https://www.linkedin.com/in/mrdsdgv/?originalSubdomain=az
When you're doing the analysis on this sort of thing, it's nice to
have the Smatch cross function db built. I hacked up the vfs_write()
information a bit so it says that len can't be more than 1G when
actually it's capped at 2G. I did that so that count + len wouldn't
trigger an integer overflow warning. Those are prevented in
rw_verify_area().
$ smdb axis_fifo_write
file | caller | function | type | parameter | key | value |
fs/read_write.c | vfs_write | (struct file_operations)->write | INTERNAL | -1 | | long(*)(struct file*, char*, ulong, llong*)
fs/read_write.c | vfs_write | (struct file_operations)->write | BIT_INFO | 0 | f->f_mode | 0x40002,0xffffffff
fs/read_write.c | vfs_write | (struct file_operations)->write | USER_DATA | 1 | buf | 0-u64max[c]
fs/read_write.c | vfs_write | (struct file_operations)->write | USER_DATA | 2 | len | 0-1000000000
fs/read_write.c | vfs_write | (struct file_operations)->write | USER_DATA | 3 | *off | 0-1000000000
fs/read_write.c | vfs_write | (struct file_operations)->write | USER_PTR | 3 | off |
fs/read_write.c | vfs_write | (struct file_operations)->write | PARAM_VALUE | 0 | f | 4096-9223372036854775807
fs/read_write.c | vfs_write | (struct file_operations)->write | PARAM_VALUE | 0 | f->f_op | 4096-ptr_max
fs/read_write.c | vfs_write | (struct file_operations)->write | PARAM_VALUE | 0 | f->f_op->write | 1-u64max
fs/read_write.c | vfs_write | (struct file_operations)->write | PARAM_VALUE | 2 | len | 0-1000000000,2147479552
fs/read_write.c | vfs_write | (struct file_operations)->write | FUZZY_MAX | 2 | len | 2147479552
fs/read_write.c | vfs_write | (struct file_operations)->write | PARAM_VALUE | 3 | *off | 0-1000000000
fs/read_write.c | vfs_write | (struct file_operations)->write | PARAM_VALUE | 3 | off | 0,4096-ptr_max
fs/read_write.c | vfs_write | (struct file_operations)->write | CONTAINER | 0 | -32-80+0 | $(-1)
fs/read_write.c | vfs_write | (struct file_operations)->write | DATA_SOURCE | 0 | f | $0
fs/read_write.c | vfs_write | (struct file_operations)->write | DATA_SOURCE | 1 | buf | $1
fs/read_write.c | vfs_write | (struct file_operations)->write | DATA_SOURCE | 2 | len | $2 [m]
fs/read_write.c | vfs_write | (struct file_operations)->write | DATA_SOURCE | 3 | off | $3
fs/read_write.c | vfs_write | (struct file_operations)->write | 2059 | -1 | | y
fs/read_write.c | vfs_write | (struct file_operations)->write | 2059 | -1 | | y
fs/read_write.c | vfs_write | (struct file_operations)->write | BUF_SIZE | 3 | off | (-1),8
$
regards,
dan carpenter
On Tue, Oct 07, 2025 at 03:58:13PM +0400, Murad Sadigov wrote:
> Fix integer overflow in axis_fifo_write() that allows local users
> to bypass buffer validation, potentially causing hardware FIFO
> buffer overflow and system denial of service.
>
> The axis_fifo_write() function converts user-controlled size_t 'len'
> (64-bit) to unsigned int 'words_to_write' (32-bit) without overflow
> checking at line 322:
>
> words_to_write = len / sizeof(u32);
>
> On 64-bit systems, when len equals 0x400000000 (16 GiB):
> - Division: 0x400000000 / 4 = 0x100000000 (requires 33 bits)
> - Truncation: Result stored in 32-bit variable = 0 (overflow)
> - Validation bypass: if (0 > fifo_depth) evaluates to false
> - Impact: Hardware FIFO overflow, system crash
>
> This allows unprivileged local users with access to /dev/axis_fifo*
> to trigger denial of service.
>
> The fix adds overflow check before type conversion to ensure len
> does not exceed the maximum safe value (UINT_MAX * sizeof(u32)).
>
> Affected systems include embedded devices using Xilinx FPGA with
> AXI-Stream FIFO IP cores.
>
> Signed-off-by: Murad Sadigov <sdgvmrd@gmail.com>
> ---
> drivers/staging/axis-fifo/axis-fifo.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/staging/axis-fifo/axis-fifo.c
> b/drivers/staging/axis-fifo/axis-fifo.c
> index 1234567890ab..abcdef123456 100644
> --- a/drivers/staging/axis-fifo/axis-fifo.c
> +++ b/drivers/staging/axis-fifo/axis-fifo.c
> @@ -319,6 +319,13 @@ static ssize_t axis_fifo_write(struct file *f,
> const char __user *buf,
> return -EINVAL;
> }
>
> + /* Prevent integer overflow in words calculation */
> + if (len > (size_t)UINT_MAX * sizeof(u32)) {
> + dev_err(fifo->dt_device,
> + "write length %zu exceeds maximum %zu bytes\n",
> + len, (size_t)UINT_MAX * sizeof(u32));
> + return -EINVAL;
> + }
> +
Something went wrong here, your email client dropped all of the leading
spaces :(
Also, you do not want to allow userspace to cause a DoS on the kernel
log, so don't log this information, just return an error, no need to
print anything.
thanks,
greg k-h
On Tue, Oct 07, 2025 at 02:18:47PM +0200, Greg KH wrote:
> On Tue, Oct 07, 2025 at 03:58:13PM +0400, Murad Sadigov wrote:
> > Fix integer overflow in axis_fifo_write() that allows local users
> > to bypass buffer validation, potentially causing hardware FIFO
> > buffer overflow and system denial of service.
> >
> > The axis_fifo_write() function converts user-controlled size_t 'len'
> > (64-bit) to unsigned int 'words_to_write' (32-bit) without overflow
> > checking at line 322:
> >
> > words_to_write = len / sizeof(u32);
> >
> > On 64-bit systems, when len equals 0x400000000 (16 GiB):
> > - Division: 0x400000000 / 4 = 0x100000000 (requires 33 bits)
> > - Truncation: Result stored in 32-bit variable = 0 (overflow)
> > - Validation bypass: if (0 > fifo_depth) evaluates to false
> > - Impact: Hardware FIFO overflow, system crash
> >
> > This allows unprivileged local users with access to /dev/axis_fifo*
> > to trigger denial of service.
> >
> > The fix adds overflow check before type conversion to ensure len
> > does not exceed the maximum safe value (UINT_MAX * sizeof(u32)).
> >
> > Affected systems include embedded devices using Xilinx FPGA with
> > AXI-Stream FIFO IP cores.
> >
> > Signed-off-by: Murad Sadigov <sdgvmrd@gmail.com>
> > ---
> > drivers/staging/axis-fifo/axis-fifo.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/drivers/staging/axis-fifo/axis-fifo.c
> > b/drivers/staging/axis-fifo/axis-fifo.c
> > index 1234567890ab..abcdef123456 100644
> > --- a/drivers/staging/axis-fifo/axis-fifo.c
> > +++ b/drivers/staging/axis-fifo/axis-fifo.c
> > @@ -319,6 +319,13 @@ static ssize_t axis_fifo_write(struct file *f,
> > const char __user *buf,
> > return -EINVAL;
> > }
> >
> > + /* Prevent integer overflow in words calculation */
> > + if (len > (size_t)UINT_MAX * sizeof(u32)) {
> > + dev_err(fifo->dt_device,
> > + "write length %zu exceeds maximum %zu bytes\n",
> > + len, (size_t)UINT_MAX * sizeof(u32));
> > + return -EINVAL;
> > + }
> > +
>
> Something went wrong here, your email client dropped all of the leading
> spaces :(
>
> Also, you do not want to allow userspace to cause a DoS on the kernel
> log, so don't log this information, just return an error, no need to
> print anything.
Also, look at this function in the linux-next branch. It has been
rewritten and I think will not fail in the same way you are thinking it
will fail here. I'll get those changes to Linus by the end of this
week, sorry for not noticing they were not flushed out to his tree yet.
thanks,
greg k-h
© 2016 - 2026 Red Hat, Inc.