vfio/platform: check the bounds of read/write syscalls

count and offset are passed from user space and not checked, only
offset is capped to 40 bits, which can be used to read/write out of
bounds of the device.

Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
Cc: stable@vger.kernel.org
Reported-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Mostafa Saleh <smostafa@google.com>
Tested-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c
index e53757d1d0958ad2b4c675fad8556ab6a49610f7..3bf1043cd7957ca2f1ae3bf4512e4df4d45ab19c 100644 (file)
--- a/drivers/vfio/platform/vfio_platform_common.c
+++ b/drivers/vfio/platform/vfio_platform_common.c
@@ -388,6 +388,11 @@ static ssize_t vfio_platform_read_mmio(struct vfio_platform_region *reg,
 {
        unsigned int done = 0;
 
+       if (off >= reg->size)
+               return -EINVAL;
+
+       count = min_t(size_t, count, reg->size - off);
+
        if (!reg->ioaddr) {
                reg->ioaddr =
                        ioremap(reg->addr, reg->size);
@@ -467,6 +472,11 @@ static ssize_t vfio_platform_write_mmio(struct vfio_platform_region *reg,
 {
        unsigned int done = 0;
 
+       if (off >= reg->size)
+               return -EINVAL;
+
+       count = min_t(size_t, count, reg->size - off);
+
        if (!reg->ioaddr) {
                reg->ioaddr =
                        ioremap(reg->addr, reg->size);