[PATCH] misc: ibmvmc: reject oversized inbound messages

Next message: Darrick J. Wong: "Re: [PATCH RFC v2 17/18] fs: look up the superblock via the device table in user_get_super()"
Previous message: Sailesh Nandanavanam: "[PATCH v2] remoteproc: qcom_q6v5_pas: Fix dtb firmware lifecycle and leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Wed Jun 24 2026 - 13:54:34 EST

ibmvmc_recv_msg() trusts the message length from the CRQ.

It passes that length directly to h_copy_rdma().

The destination buffer is only max_mtu bytes.

A larger length can overrun it before userspace reads the message.

Validate the CRQ length before issuing the RDMA copy.

Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/misc/ibmvmc.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/misc/ibmvmc.c b/drivers/misc/ibmvmc.c
index beb18c34f..b64ed9293 100644
--- a/drivers/misc/ibmvmc.c
+++ b/drivers/misc/ibmvmc.c
@@ -1653,6 +1653,13 @@ static int ibmvmc_recv_msg(struct crq_server_adapter *adapter,
return -1;
}

+ if (msg_len > buffer->size) {
+ dev_err(adapter->dev, "Recv_msg: msg_len 0x%lx exceeds buffer size 0x%x\n",
+ msg_len, buffer->size);
+ spin_unlock_irqrestore(&hmc->lock, flags);
+ return -1;
+ }
+
/* RDMA the data into the partition. */
rc = h_copy_rdma(msg_len,
adapter->riobn,
--
2.54.0