git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Tycho Andersen (AMD) <tycho@kernel.org>
	Wed, 8 Apr 2026 14:32:57 +0000 (08:32 -0600)
committer	Herbert Xu <herbert@gondor.apana.org.au>
	Thu, 7 May 2026 08:09:58 +0000 (16:09 +0800)
commit	1b864b6cb213bbd7b406e9b2e98c962077f300df
tree	63f7488aeb8c3fb7823c3df84ae154e6b361dd8f	tree \| snapshot
parent	4a76a164ba1617f60d1c8a2fd754466c9d9e48e9	commit \| diff

crypto: ccp - Fix snp_filter_reserved_mem_regions() off-by-one

Sashiko notes:

> regarding the bounds check in snp_filter_reserved_mem_regions()
> called via walk_iomem_res_desc(): does the check
> if ((range_list->num_elements * 16 + 8) > PAGE_SIZE)
> allow an off-by-one heap buffer overflow?
>
> If range_list->num_elements is 255, 255 * 16 + 8 = 4088, which is <= 4096.
> Writing range->base (8 bytes) fills 4088-4095, but writing range->page_count
> (4 bytes) would write to 4096-4099, overflowing the kzalloc-allocated
> PAGE_SIZE buffer.

Fix this by accounting for the entry about to be written to, in addition to
the entries that are already allocated.

Fixes: 1ca5614b84ee ("crypto: ccp: Add support to initialize the AMD-SP for SEV-SNP")
Reported-by: Sashiko
Assisted-by: Gemini:gemini-3.1-pro-preview
Link: https://sashiko.dev/#/patchset/20260324161301.1353976-1-tycho%40kernel.org
Signed-off-by: Tycho Andersen (AMD) <tycho@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>