[PATCH v3 11/12] virtio: rng: Check length before copying
Andrew Scull
ascull at google.com
Mon May 16 12:41:39 CEST 2022
Check the length of data written by the device is consistent with the
size of the buffers to avoid out-of-bounds memory accesses in case
values aren't consistent.
Signed-off-by: Andrew Scull <ascull at google.com>
Cc: Sughosh Ganu <sughosh.ganu at linaro.org>
Reviewed-by: Simon Glass <sjg at chromium.org>
---
drivers/virtio/virtio_rng.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/virtio/virtio_rng.c b/drivers/virtio/virtio_rng.c
index 9314c0a03e..b85545c2ee 100644
--- a/drivers/virtio/virtio_rng.c
+++ b/drivers/virtio/virtio_rng.c
@@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len)
while (!virtqueue_get_buf(priv->rng_vq, &rsize))
;
+ if (rsize > sg.length)
+ return -EIO;
+
memcpy(ptr, buf, rsize);
len -= rsize;
ptr += rsize;
--
2.36.0.550.gb090851708-goog
More information about the U-Boot
mailing list