From 43937a4f5e411b3a82014fe0fa78ef4de90b11c2 Mon Sep 17 00:00:00 2001 From: Andrew Scull Date: Mon, 16 May 2022 10:41:39 +0000 Subject: [PATCH] virtio: rng: Check length before copying Check the length of data written by the device is consistent with the size of the buffers to avoid out-of-bounds memory accesses in case values aren't consistent. Signed-off-by: Andrew Scull Cc: Sughosh Ganu Reviewed-by: Simon Glass --- drivers/virtio/virtio_rng.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/virtio/virtio_rng.c b/drivers/virtio/virtio_rng.c index 9314c0a..b85545c 100644 --- a/drivers/virtio/virtio_rng.c +++ b/drivers/virtio/virtio_rng.c @@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len) while (!virtqueue_get_buf(priv->rng_vq, &rsize)) ; + if (rsize > sg.length) + return -EIO; + memcpy(ptr, buf, rsize); len -= rsize; ptr += rsize; -- 2.7.4