[PATCH] firmware: qemu_fw_cfg: reject overflowing file directories

Next message: Yousef Alhouseen: "[PATCH net] ieee802154: hwsim: free PIB after unregistering hardware"
Previous message: Andrew Lunn: "Re: [PATCH net-next] Documentation: networking: Add a test plan for ethtool pause validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yousef Alhouseen

Date: Sat Jun 27 2026 - 19:55:23 EST

The fw_cfg file count is supplied by the VMM. On 32-bit systems,
multiplying a large count by the directory entry size can wrap, resulting
in a short allocation and an out-of-bounds walk of the directory.

Reject counts whose directory size cannot be represented by size_t before
allocating or reading the directory.

Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/firmware/qemu_fw_cfg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c
index 0c51a9df5..3d5eece35 100644
--- a/drivers/firmware/qemu_fw_cfg.c
+++ b/drivers/firmware/qemu_fw_cfg.c
@@ -34,6 +34,7 @@
#include <linux/slab.h>
#include <linux/io.h>
#include <linux/ioport.h>
+#include <linux/overflow.h>
#include <uapi/linux/qemu_fw_cfg.h>
#include <linux/delay.h>
#include <linux/crash_dump.h>
@@ -642,7 +643,8 @@ static int fw_cfg_register_dir_entries(void)
return ret;

count = be32_to_cpu(files_count);
- dir_size = count * sizeof(struct fw_cfg_file);
+ if (check_mul_overflow((size_t)count, sizeof(*dir), &dir_size))
+ return -EOVERFLOW;

dir = kmalloc(dir_size, GFP_KERNEL);
if (!dir)
--
2.54.0