[PATCH v2] vduse: Fix off by one in vduse_dev_mmap()

From: Dan Carpenter
Date: Wed Feb 28 2024 - 12:44:19 EST

Next message: Roberto Sassu: "Re: [PATCH v3 00/13] security: digest_cache LSM"
Previous message: Dan Carpenter: "Re: [PATCH] vduse: Fix off by one in vduse_dev_mmap()"
Next in thread: Stefan Hajnoczi: "Re: [PATCH v2] vduse: Fix off by one in vduse_dev_mmap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The dev->vqs[] array has "dev->vq_num" elements. It's allocated in
vduse_dev_init_vqs(). Thus, this > comparison needs to be >= to avoid
reading one element beyond the end of the array.

Add an array_index_nospec() as well to prevent speculation issues.

Fixes: 316ecd1346b0 ("vduse: Add file operation for mmap")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
v2: add array_index_nospec().

drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index b7a1fb88c506..eb914084c650 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -1532,9 +1532,10 @@ static int vduse_dev_mmap(struct file *file, struct vm_area_struct *vma)
if ((vma->vm_flags & VM_SHARED) == 0)
return -EINVAL;

- if (index > dev->vq_num)
+ if (index >= dev->vq_num)
return -EINVAL;

vq = dev->vqs[index];
vaddr = vq->vdpa_reconnect_vaddr;
if (vaddr == 0)
--
2.43.0

Next message: Roberto Sassu: "Re: [PATCH v3 00/13] security: digest_cache LSM"
Previous message: Dan Carpenter: "Re: [PATCH] vduse: Fix off by one in vduse_dev_mmap()"
Next in thread: Stefan Hajnoczi: "Re: [PATCH v2] vduse: Fix off by one in vduse_dev_mmap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]