Hi!
From: Xie Yongji xieyongji@bytedance.com
[ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ]
The buf->len might come from an untrusted device. This ensures the value would not exceed the size of the buffer to avoid data corruption or loss.
Since we are not trusting the other side, do we need to use _nospec variants to prevent speculation attacks?
Best regards, Pavel
+++ b/drivers/char/virtio_console.c @@ -487,7 +487,7 @@ static struct port_buffer *get_inbuf(struct port *port) buf = virtqueue_get_buf(port->in_vq, &len); if (buf) {
buf->len = len;
buf->len = min_t(size_t, len, buf->size);@@ -1752,7 +1752,7 @@ static void control_work_handler(struct work_struct *work) while ((buf = virtqueue_get_buf(vq, &len))) { spin_unlock(&portdev->c_ivq_lock);
buf->len = len;
buf->len = min_t(size_t, len, buf->size);handle_control_message(vq->vdev, portdev, buf);