[PATCH v2 02/18] mshv: Fix potential integer overflow in mshv_region_create

Next message: Stanislav Kinsburskii: "[PATCH v2 04/18] mshv: Fix potential u64 overflow in region overlap check"
Previous message: Stanislav Kinsburskii: "[PATCH v2 03/18] mshv: Fix mshv_prepare_pinned_region error path for unencrypted partitions"
In reply to: Stanislav Kinsburskii: "[PATCH v2 03/18] mshv: Fix mshv_prepare_pinned_region error path for unencrypted partitions"
Next in thread: Stanislav Kinsburskii: "[PATCH v2 04/18] mshv: Fix potential u64 overflow in region overlap check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stanislav Kinsburskii

Date: Sat May 02 2026 - 00:27:59 EST

The allocation size is computed as:

sizeof(*region) + sizeof(struct page *) * nr_pages

where nr_pages is a u64 originating from userspace. A sufficiently
large nr_pages can overflow the multiplication, resulting in a small
allocation followed by out-of-bounds writes when populating mreg_pages.

Use struct_size() which returns SIZE_MAX on overflow, causing vzalloc
to safely return NULL — caught by the existing error check.

Fixes: 621191d709b14 ("Drivers: hv: Introduce mshv_root module to expose /dev/mshv to VMMs")
Signed-off-by: Stanislav Kinsburskii <skinsburskii@xxxxxxxxxxxxxxxxxxx>
---
drivers/hv/mshv_regions.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hv/mshv_regions.c b/drivers/hv/mshv_regions.c
index fdffd4f002f6f..1d04a97980b8b 100644
--- a/drivers/hv/mshv_regions.c
+++ b/drivers/hv/mshv_regions.c
@@ -177,7 +177,7 @@ struct mshv_mem_region *mshv_region_create(u64 guest_pfn, u64 nr_pages,
{
struct mshv_mem_region *region;

- region = vzalloc(sizeof(*region) + sizeof(struct page *) * nr_pages);
+ region = vzalloc(struct_size(region, mreg_pages, nr_pages));
if (!region)
return ERR_PTR(-ENOMEM);