summaryrefslogtreecommitdiff
path: root/mm/tests/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorSebastian Alba Vives <sebasjosue84@gmail.com>2026-05-18 13:07:40 -0600
committerXu Yilun <yilun.xu@linux.intel.com>2026-06-01 12:28:33 +0800
commit9e8bc49f91f3f81d957c4f1c1f09fe94e2f88f6a (patch)
tree2c8b102e5a19826bc4d6224e6db80ad5677aa5ef /mm/tests/git@git.tavy.me:linux.git
parent3c310d945b9490b3417eba7d58d7c7fbb3156081 (diff)
fpga: dfl: add bounds check in dfh_get_param_size()
dfh_get_param_size() can return a parameter size larger than the feature region because the loop bounds check is evaluated before incrementing size. If the EOP (End of Parameters) bit is set in the same iteration, the inflated size is returned without re-validation against max. This can cause create_feature_instance() to call memcpy_fromio() with a size exceeding the ioremap'd region when a malicious FPGA device provides crafted DFHv1 parameter headers. Add a bounds check after the size increment to ensure the accumulated size never exceeds the feature boundary. Fixes: 4747ab89b4a6 ("fpga: dfl: add basic support for DFHv1") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives <sebasjosue84@gmail.com> Reviewed-by: Xu Yilun <yilun.xu@intel.com> Link: https://lore.kernel.org/r/20260518190742.61426-2-sebasjosue84@gmail.com Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Diffstat (limited to 'mm/tests/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions