RISC-V: KVM: fix stack overrun when loading vlenb

commit 799766208f09f95677a9ab111b93872d414fbad7 upstream.

The userspace load can put up to 2048 bits into an xlen bit stack
buffer.  We want only xlen bits, so check the size beforehand.

Fixes: 2fa290372dfe ("RISC-V: KVM: add 'vlenb' Vector CSR")
Cc: stable@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@ventanamicro.com>
Reviewed-by: Nutty Liu <liujingqi@lanxincomputing.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Link: https://lore.kernel.org/r/20250805104418.196023-4-rkrcmar@ventanamicro.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
index d92d1348045c8cfc60ddd7b6d524f8db535e4619..8454c1c3655a4ca0d0a901cbff73d7ee6cb83469 100644 (file)
--- a/arch/riscv/kvm/vcpu_vector.c
+++ b/arch/riscv/kvm/vcpu_vector.c
@@ -181,6 +181,8 @@ int kvm_riscv_vcpu_set_reg_vector(struct kvm_vcpu *vcpu,
                struct kvm_cpu_context *cntx = &vcpu->arch.guest_context;
                unsigned long reg_val;
 
+               if (reg_size != sizeof(reg_val))
+                       return -EINVAL;
                if (copy_from_user(&reg_val, uaddr, reg_size))
                        return -EFAULT;
                if (reg_val != cntx->vector.vlenb)