Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1238393pxb;
        Fri, 20 Aug 2021 00:46:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxKqloWFXfCnknQUr6UFKmPW7WNi4vVjNOU0eJQBnWN09PMOmz3hcl+SOKOua2iRlqPJoAu
X-Received: by 2002:aa7:c64f:: with SMTP id z15mr21481535edr.54.1629445564217;
        Fri, 20 Aug 2021 00:46:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629445564; cv=none;
        d=google.com; s=arc-20160816;
        b=V+b44ffzipzBpm1TXbhM+V9FCY3WL5WI1p7WLLhRIFToslopk0UUjvOXJ7tzitVA+O
         iJ42bng0LnKFPVlJLjrcm8UVdkiexbXYnsk6dUTRWqqlOpT4M8W7NrmW+CO+l1FcPJLY
         2lMuLJ68PWy4uxnAYOwNhynGzjUSO17PBTX+zh77i7meuY25jMeU+4aE7EvfAcraqj0Q
         Lx9AeKnt5EU3NyAkllSRIi2byPK8TwIXhLAl4mWD5xeTq0CiUZmt4pW8AoUeFHLx2K8d
         he9yK6vPYkNQAbGQsW3LytzdXEB2DnUFxy7LEmXvU5/4q38DEv22Wf7piulGFyDAvjJp
         jvcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=6Kf8if/Ule6DOiwR9fSqmoe3ho/zR1feJbHpeODEPb8=;
        b=pH5l7A11eZ/blavn1+dU7BpoiEcw8dV5RH047YzeIOth7MKQ6iT51oEW+pQ2f8soOl
         LPI5x1ytcbiFLqYmpKigcHau7Kxg0HZWFXN51StW16NZnwQ759ugWHkwdXoeBf/ONiCJ
         37ucl55QB7ND79ltdXZoaFQ6y7MMZy7km0So4BRDv9ddgYpslelu7CGEMx5Qv2f5JYxm
         HmhG596LP7/fQDwyigUFKUiTx9n5KLMyE5V1pUCySIFjnIm5/yWfNd4Uu10HZO/bPI+P
         wodItO2fsI3QE3qmhOUNyAl8v17R3KUNfEf0cuUV2e18lEy3nvp4vnLYR/nYzcTXOHS1
         oVbg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q1si5756794ejr.43.2021.08.20.00.45.36;
        Fri, 20 Aug 2021 00:46:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238776AbhHTHml (ORCPT <rfc822;liukuiyu0707@gmail.com>
        + 99 others); Fri, 20 Aug 2021 03:42:41 -0400
Received: from out30-133.freemail.mail.aliyun.com ([115.124.30.133]:54804 "EHLO
        out30-133.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S233162AbhHTHml (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Aug 2021 03:42:41 -0400
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R291e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04395;MF=xianting.tian@linux.alibaba.com;NM=1;PH=DS;RN=6;SR=0;TI=SMTPD_---0UkIp0ln_1629445319;
Received: from localhost(mailfrom:xianting.tian@linux.alibaba.com fp:SMTPD_---0UkIp0ln_1629445319)
          by smtp.aliyun-inc.com(127.0.0.1);
          Fri, 20 Aug 2021 15:42:00 +0800
From:   Xianting Tian <xianting.tian@linux.alibaba.com>
To:     amit@kernel.org, arnd@arndb.de, gregkh@linuxfoundation.org
Cc:     virtualization@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org,
        Xianting Tian <xianting.tian@linux.alibaba.com>
Subject: [PATCH 2/2] virtio_console: protect max_nr_ports to avoid invalid value
Date:   Fri, 20 Aug 2021 15:41:56 +0800
Message-Id: <20210820074156.202243-1-xianting.tian@linux.alibaba.com>
X-Mailer: git-send-email 2.17.1
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In theory untrusted remote host can pass a big or overflow value
of max_nr_ports to guest, it may cause guest system consumes
a lot of memory when create vqs and other impacts.

Add the protection to guarantee max_nr_ports to get a safa value.

Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
---
 drivers/char/virtio_console.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 7eaf303a7..bba985c81 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -29,6 +29,8 @@
 
 #define is_rproc_enabled IS_ENABLED(CONFIG_REMOTEPROC)
 
+#define MAX_NR_PORTS	MAX_NR_HVC_CONSOLES
+
 /*
  * This is a global struct for storing common data for all the devices
  * this driver handles.
@@ -2039,6 +2041,9 @@ static int virtcons_probe(struct virtio_device *vdev)
 		multiport = true;
 	}
 
+	/* limit max_nr_ports to avoid invalid value from untrusted remote host */
+	portdev->max_nr_ports = min_t(u32, portdev->max_nr_ports, MAX_NR_PORTS);
+
 	err = init_vqs(portdev);
 	if (err < 0) {
 		dev_err(&vdev->dev, "Error %d initializing vqs\n", err);
-- 
2.17.1