Re: [PATCH] misc: ibmvmc: fix buffer overflow in ibmvmc_recv_msg()

Next message: ellyndra: "[PATCH v2] x86/syscall: make sys_call helpers static"
Previous message: Greg KH: "Re: [PATCH v2] rtl8723bs: Replace atomic_t with int for continual_io_error (no concurrency)"
In reply to: Junrui Luo: "[PATCH] misc: ibmvmc: fix buffer overflow in ibmvmc_recv_msg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Thu Dec 18 2025 - 09:57:53 EST

On Thu, Dec 18, 2025 at 10:43:11PM +0800, Junrui Luo wrote:
> The ibmvmc_recv_msg() function receives a msg_len value from the
> hypervisor and uses it directly in h_copy_rdma() without validating.
> This can result a buffer overflow.
>
> Add a check to ensure msg_len does not exceed buffer->size before
> calling h_copy_rdma().
>
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Reported-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> Fixes: 0eca353e7ae7 ("misc: IBM Virtual Management Channel Driver (VMC)")
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---
> drivers/misc/ibmvmc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/misc/ibmvmc.c b/drivers/misc/ibmvmc.c
> index e5f935b5249d..e583a73a3592 100644
> --- a/drivers/misc/ibmvmc.c
> +++ b/drivers/misc/ibmvmc.c
> @@ -1654,6 +1654,12 @@ static int ibmvmc_recv_msg(struct crq_server_adapter *adapter,
> }
>
> /* RDMA the data into the partition. */
> + if (msg_len > buffer->size) {
> + dev_err(adapter->dev, "Recv_msg: msg_len 0x%x exceeds buffer size 0x%x\n",
> + (unsigned int)msg_len, (unsigned int)buffer->size);

Don't allow broken hardware to spam the kernel log. Make this a
debugging message instead.

And place the check above the comment?

thanks,

greg k-h