From: zhenwei pi pizhenwei@bytedance.com
mainline inclusion from mainline-v6.7-rc1 commit fafb51a67fb883eb2dde352539df939a251851be category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4LS CVE: CVE-2023-52762
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev);
This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead.
Signed-off-by: zhenwei pi pizhenwei@bytedance.com Message-Id: 20230904061045.510460-1-pizhenwei@bytedance.com Signed-off-by: Michael S. Tsirkin mst@redhat.com Conflicts: drivers/block/virtio_blk.c [ Context conflict. ] Signed-off-by: Li Nan linan122@huawei.com --- drivers/block/virtio_blk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index e121a620d201..c4ffa7b8d77c 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -702,6 +702,7 @@ static int virtblk_probe(struct virtio_device *vdev) struct virtio_blk *vblk; struct request_queue *q; int err, index; + size_t max_dma_size;
u32 v, blk_size, max_size, sg_elems, opt_io_size; u16 min_io_size; @@ -810,7 +811,8 @@ static int virtblk_probe(struct virtio_device *vdev) /* No real sector limit. */ blk_queue_max_hw_sectors(q, -1U);
- max_size = virtio_max_dma_size(vdev); + max_dma_size = virtio_max_dma_size(vdev); + max_size = max_dma_size > U32_MAX ? U32_MAX : max_dma_size;
/* Host can optionally specify maximum segment size and number of * segments. */