Re: [PATCH v6 1/3] fpga: dfl: add bounds check in dfh_get_param_size()

Next message: Manivannan Sadhasivam via B4 Relay: "[PATCH v8 2/5] PCI/ERR: Add support for resetting the Root Ports in a platform specific way"
Previous message: Achkinazi, Igor: "[PATCH] nvme-multipath: set BIO_REMAPPED on bios remapped to per-path namespace disks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xu Yilun

Date: Mon May 18 2026 - 11:07:40 EST

On Tue, May 12, 2026 at 07:07:08AM -0600, Sebastian Alba Vives wrote:
> dfh_get_param_size() can return a parameter size larger than the feature
> region because the loop bounds check is evaluated before incrementing
> size. If the EOP (End of Parameters) bit is set in the same iteration,
> the inflated size is returned without re-validation against max.
>
> This can cause create_feature_instance() to call memcpy_fromio() with a
> size exceeding the ioremap'd region when a malicious FPGA device provides
> crafted DFHv1 parameter headers.
>
> Add a bounds check after the size increment to ensure the accumulated
> size never exceeds the feature boundary.
>
> Fixes: a80a4b2b2e4f ("fpga: dfl: add support for DFHv1")

No such commit. Please run checkpatch before posting.