Jason Wang
2022-Nov-29 02:59 UTC
[PATCH v3] vduse: Validate vq_num in vduse_validate_config()
On Mon, Nov 28, 2022 at 11:57 PM Harshit Mogalapalli <harshit.m.mogalapalli at oracle.com> wrote:> > Add a limit to 'config->vq_num' which is user controlled data which > comes from an vduse_ioctl to prevent large memory allocations. > > Micheal says - This limit is somewhat arbitrary. > However, currently virtio pci and ccw are limited to a 16 bit vq number. > While MMIO isn't it is also isn't used with lots of VQs due to > current lack of support for per-vq interrupts. > Thus, the 0xffff limit on number of VQs corresponding > to a 16-bit VQ number seems sufficient for now. > > This is found using static analysis with smatch. > > Suggested-by: Michael S. Tsirkin <mst at redhat.com> > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli at oracle.com>Acked-by: Jason Wang <jasowang at redhat.com> Thanks> --- > v1->v2: Change title of the commit and description, add a limit to > vq_num. > > v2->v3: Improve commit message to include reason for setting limit to > 0xffff > > Only compile and boot tested. > --- > drivers/vdpa/vdpa_user/vduse_dev.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index 35dceee3ed56..31017ebc4d7c 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -1440,6 +1440,9 @@ static bool vduse_validate_config(struct vduse_dev_config *config) > if (config->config_size > PAGE_SIZE) > return false; > > + if (config->vq_num > 0xffff) > + return false; > + > if (!device_is_allowed(config->device_id)) > return false; > > -- > 2.38.1 >