]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
dibs: loopback: validate offset and size in move_data()
authorDust Li <dust.li@linux.alibaba.com>
Tue, 7 Jul 2026 07:43:18 +0000 (15:43 +0800)
committerPaolo Abeni <pabeni@redhat.com>
Thu, 9 Jul 2026 10:44:00 +0000 (12:44 +0200)
The loopback move_data() performs a memcpy into the registered DMB
without checking whether offset + size exceeds the DMB length.  Unlike
real ISM hardware, which enforces memory region bounds natively, the
software loopback has no such protection.

A peer-supplied out-of-bounds offset or oversized write would result in
an OOB write past the allocated kernel buffer.  Add an explicit bounds
check before the memcpy to reject such requests with -EINVAL.

Fixes: f7a22071dbf3 ("net/smc: implement DMB-related operations of loopback-ism")
Cc: stable@vger.kernel.org
Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
Reported-by: Baul Lee <baul.lee@xbow.com>
Link: https://patch.msgid.link/20260707074318.1448662-1-dust.li@linux.alibaba.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
drivers/dibs/dibs_loopback.c

index ec3b48cb0e8742ed07f190ab7a09591d358e0ab1..0f2e093111526b0f9bbb4e767e49e1202f320a54 100644 (file)
@@ -254,6 +254,11 @@ static int dibs_lo_move_data(struct dibs_dev *dibs, u64 dmb_tok,
                read_unlock_bh(&ldev->dmb_ht_lock);
                return -EINVAL;
        }
+       if ((u64)offset + size > rmb_node->len) {
+               read_unlock_bh(&ldev->dmb_ht_lock);
+               return -EINVAL;
+       }
+
        memcpy((char *)rmb_node->cpu_addr + offset, data, size);
        sba_idx = rmb_node->sba_idx;
        read_unlock_bh(&ldev->dmb_ht_lock);