Skip to content

Commit d00d8da

Browse files
YongjiXiemstsirkin
authored andcommitted
virtio_console: Assure used length from device is limited
The buf->len might come from an untrusted device. This ensures the value would not exceed the size of the buffer to avoid data corruption or loss. Signed-off-by: Xie Yongji <xieyongji@bytedance.com> Acked-by: Jason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210525125622.1203-1-xieyongji@bytedance.com Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
1 parent 63947b3 commit d00d8da

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

Diff for: drivers/char/virtio_console.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -475,7 +475,7 @@ static struct port_buffer *get_inbuf(struct port *port)
475475

476476
buf = virtqueue_get_buf(port->in_vq, &len);
477477
if (buf) {
478-
buf->len = len;
478+
buf->len = min_t(size_t, len, buf->size);
479479
buf->offset = 0;
480480
port->stats.bytes_received += len;
481481
}
@@ -1709,7 +1709,7 @@ static void control_work_handler(struct work_struct *work)
17091709
while ((buf = virtqueue_get_buf(vq, &len))) {
17101710
spin_unlock(&portdev->c_ivq_lock);
17111711

1712-
buf->len = len;
1712+
buf->len = min_t(size_t, len, buf->size);
17131713
buf->offset = 0;
17141714

17151715
handle_control_message(vq->vdev, portdev, buf);

0 commit comments

Comments
 (0)