Re: [PATCH v4] staging: vme_user: validate slave window size against buffer size

[Greg KH]

On Thu, May 14, 2026 at 12:45:10PM +0900, Rion Kiguchi wrote:
> The VME_SET_SLAVE ioctl in drivers/staging/vme_user/vme_user.c accepts
> a user-controlled slave.size and forwards it to vme_slave_set() without
> comparing it against image[minor].size_buf. The slave-image kernel
> buffer is allocated at probe time with a fixed size of PCI_BUF_SIZE
> (0x20000 / 128 KiB), but the configured VME window size can be made
> much larger via the ioctl.
> 
> Additionally, a slave.size of 0 is permitted, which causes vme_get_size()
> to return 0. In vme_user_read() and vme_user_write(), the boundary check
> (*ppos > image_size - 1) suffers from an integer underflow because
> image_size is size_t. This bypasses the bounds check entirely, allowing
> offsets beyond the actual allocation.
> 
> Result: a local user with read/write access to /dev/bus/vme/s* can
> trigger out-of-bounds read and write of the kernel slab adjacent to
> the slave-image buffer.
> 
> Fix: reject slave.size == 0 and slave.size > size_buf in the VME_SET_SLAVE
> handler. With this check in place, the existing bounds checks in
> vme_user_read() / vme_user_write() against vme_get_size() are
> sufficient to prevent OOB access.
> 
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Rion Kiguchi <kiguchi.r.sec@xxxxxxxxx>
> ---
> Changes in v4:
>  - Add check for slave.size == 0 to prevent integer underflow in bounds check.
>  - Remove trailing whitespaces inadvertently added in previous versions.
>  - Remove Fixes and Cc: stable tags to resolve checkpatch warnings based on maintainer feedback.

Please see the review comments:
	https://sashiko.dev/#/patchset/20260514034511.4244-1-kiguchi.r.sec@xxxxxxxxx