From: zhenwei pi <pizhenwei@bytedance.com> mainline inclusion from mainline-v6.7-rc1 commit fafb51a67fb883eb2dde352539df939a251851be category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4LS CVE: CVE-2023-52762 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead. Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> Message-Id: <20230904061045.510460-1-pizhenwei@bytedance.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Conflicts: drivers/block/virtio_blk.c [ Context conflict. ] Signed-off-by: Li Nan <linan122@huawei.com> --- drivers/block/virtio_blk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index e121a620d201..c4ffa7b8d77c 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -702,6 +702,7 @@ static int virtblk_probe(struct virtio_device *vdev) struct virtio_blk *vblk; struct request_queue *q; int err, index; + size_t max_dma_size; u32 v, blk_size, max_size, sg_elems, opt_io_size; u16 min_io_size; @@ -810,7 +811,8 @@ static int virtblk_probe(struct virtio_device *vdev) /* No real sector limit. */ blk_queue_max_hw_sectors(q, -1U); - max_size = virtio_max_dma_size(vdev); + max_dma_size = virtio_max_dma_size(vdev); + max_size = max_dma_size > U32_MAX ? U32_MAX : max_dma_size; /* Host can optionally specify maximum segment size and number of * segments. */ -- 2.39.2