diff options
| author | Qihang Tang <q.h.hack.winter@gmail.com> | 2026-05-08 10:58:21 +0300 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2026-06-10 09:14:01 +0300 |
| commit | 929e4f044621c8cc30b612fb74e1410bef09e41b (patch) | |
| tree | 93d73df4cb9eaf09e671f202eff7352a1667ffbc /include/uapi/linux | |
| parent | e440e077748939839d9f76e24383b76b785f80ce (diff) | |
| download | linux-929e4f044621c8cc30b612fb74e1410bef09e41b.tar.xz | |
vhost/vdpa: validate virtqueue index in mmap and fault paths
vhost_vdpa_mmap() and vhost_vdpa_fault() use vma->vm_pgoff as a
virtqueue index for get_vq_notification(), but they do not validate
that the index is smaller than v->nvqs.
The ioctl path already performs both a bounds check and
array_index_nospec(), but the mmap/fault path only checks that the
index fits in u16. This allows an out-of-range queue index to reach
driver-specific get_vq_notification() callbacks.
Fix this by extracting a unified vhost_vdpa_get_vq_notification()
helper that validates the queue index against v->nvqs and applies
array_index_nospec() before calling the driver callback. Both the
mmap and fault paths use this helper, and the bounds checking is
consolidated into a single location.
From source inspection, the most defensible impact is out-of-bounds
access in the callback path, potentially leading to invalid PFN
remaps and crash/DoS.
Fixes: ddd89d0a059d ("vhost_vdpa: support doorbell mapping via mmap")
Acked-by: Eugenio PĂ©rez <eperezma@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Qihang Tang <q.h.hack.winter@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260508075821.92656-1-q.h.hack.winter@gmail.com>
Diffstat (limited to 'include/uapi/linux')
0 files changed, 0 insertions, 0 deletions