From: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com
[ Upstream commit 937c783aa3d8d77963ec91918d3298edb45b9161 ]
Add a limit to 'config->vq_num' which is user controlled data which comes from an vduse_ioctl to prevent large memory allocations.
Micheal says - This limit is somewhat arbitrary. However, currently virtio pci and ccw are limited to a 16 bit vq number. While MMIO isn't it is also isn't used with lots of VQs due to current lack of support for per-vq interrupts. Thus, the 0xffff limit on number of VQs corresponding to a 16-bit VQ number seems sufficient for now.
This is found using static analysis with smatch.
Suggested-by: Michael S. Tsirkin mst@redhat.com Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com Message-Id: 20221128155717.2579992-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Michael S. Tsirkin mst@redhat.com Acked-by: Jason Wang jasowang@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/vdpa/vdpa_user/vduse_dev.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index e7d2d5b7e125..3467c75f310a 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -1251,6 +1251,9 @@ static bool vduse_validate_config(struct vduse_dev_config *config) if (config->config_size > PAGE_SIZE) return false;
+ if (config->vq_num > 0xffff) + return false; + if (!device_is_allowed(config->device_id)) return false;