Commit 01cb543d authored by Ben Hutchings's avatar Ben Hutchings
Browse files

sfc: Correct validation of peer_page_count in efx_vfdi_set_status_page()

efx_vfdi_set_status_page() validates the peer page count by
calculating the size of a request containing that many addresses and
comparing that with the maximum valid request size (4KB).  The
calculation involves a multiplication that may overflow on a 32-bit

We use kcalloc() to allocate memory to store the addresses; that also
does a multiplication and it does check for integer overflow, so any
values larger than 0x1fffffff will be rejected.  However, values in
the range [0x1fffffffc, 0x1fffffff] pass boh tests and result in an
attempt to allocate nearly 4GB on the heap.  This should be rejected
rather quickly as it's obviously impossible on a 32-bit system, and
indeed the maximum possible heap allocation is 32MB.  Still, let's
make absolutely sure by fixing the initial validation.

Signed-off-by: default avatarBen Hutchings <>
parent c3cb2a87
......@@ -796,12 +796,13 @@ static int efx_vfdi_set_status_page(struct efx_vf *vf)
struct efx_nic *efx = vf->efx;
struct vfdi_req *req = vf->buf.addr;
unsigned int page_count;
u64 page_count = req->u.set_status_page.peer_page_count;
u64 max_page_count =
offsetof(struct vfdi_req, u.set_status_page.peer_page_addr[0]))
/ sizeof(req->u.set_status_page.peer_page_addr[0]);
page_count = req->u.set_status_page.peer_page_count;
if (!req->u.set_status_page.dma_addr || EFX_PAGE_SIZE <
offsetof(struct vfdi_req,
u.set_status_page.peer_page_addr[page_count])) {
if (!req->u.set_status_page.dma_addr || page_count > max_page_count) {
if (net_ratelimit())
netif_err(efx, hw, efx->net_dev,
"ERROR: Invalid SET_STATUS_PAGE from %s\n",
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment