Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1243481pxb;
        Fri, 20 Aug 2021 00:56:48 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyFCGPVv94OI6sDyvSA3ZYdjyiGxvpwdQmpoPkax+NzI46Ep1FaQtz0VW4iqNytli1igsWw
X-Received: by 2002:a17:907:98b2:: with SMTP id ju18mr20262607ejc.15.1629446207945;
        Fri, 20 Aug 2021 00:56:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629446207; cv=none;
        d=google.com; s=arc-20160816;
        b=0e+uixqNhteksz7DsOukE+ra8B87X6hFCgtjadJU4mg+KBF1+vpwW2+HUXpkyJhKol
         8YwFV74q+q3T5xBwcMOsdvy1gEPm96d/3KfvYP2LYlOTkfjYLs0/hoWJTR88oF4X1hjB
         fSi1tnYsIj9P55lPRATrCngUX66WnfvD2taXpt66owKusezqa94VNuwUeCOIqc/mi8EV
         z6Cyorn/2p2L6EEuAlVCshAFKmZXm25KkBOOPKaNz6bT6wzffC+y42HJCANuJH8Go+3C
         yw4VuD9I7omjKJjYVifB8qfiSZw8ec69VyXtNGA7EVJyBiUwH44jgTyWtxFWGeMcIbwx
         PlZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=c6VmEi53sHolUf29kejvwqTf97ssmtThWOBqvZYMl08=;
        b=vxdRCnNdNiJiw+tPJh8ONzcZlcl87VaZoeijYRC+3qBkK9qqWm2T6IBibzrSnTNgSg
         Ons8LXUM7kZWHRs90CPd3kbTPzsVlVjC0eEwez5oI5+5g9WWN+iptqAZy0Qn6KxRcdKJ
         wZlLLvscG1QbdKm3dssgW3ndsiLGhIN9GUbcRu3KaaoLpQEoaFlIBFUpJI9nGNSDO2Ae
         mDmUykOIlERy3NrvgKKF8YOPIwrPnOATfz1uq8yPy2YKMuHoeo86pT3u7IlxZsXw1mXx
         eWyCsrmWrS+UETk1vT5X+a5Qu+vqr8j4gQrv2MFmVQaRH7LMTUMXztJz/khKEHgOJV7U
         SRDQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h23si6119795edj.326.2021.08.20.00.56.21;
        Fri, 20 Aug 2021 00:56:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238492AbhHTHxB (ORCPT <rfc822;liukuiyu0707@gmail.com>
        + 99 others); Fri, 20 Aug 2021 03:53:01 -0400
Received: from out30-54.freemail.mail.aliyun.com ([115.124.30.54]:35943 "EHLO
        out30-54.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S236378AbhHTHxA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Aug 2021 03:53:00 -0400
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R841e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04400;MF=xianting.tian@linux.alibaba.com;NM=1;PH=DS;RN=6;SR=0;TI=SMTPD_---0UkHjRXA_1629445940;
Received: from localhost(mailfrom:xianting.tian@linux.alibaba.com fp:SMTPD_---0UkHjRXA_1629445940)
          by smtp.aliyun-inc.com(127.0.0.1);
          Fri, 20 Aug 2021 15:52:21 +0800
From:   Xianting Tian <xianting.tian@linux.alibaba.com>
To:     amit@kernel.org, arnd@arndb.de, gregkh@linuxfoundation.org
Cc:     virtualization@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org,
        Xianting Tian <xianting.tian@linux.alibaba.com>
Subject: [RESEND][PATCH] virtio_console: protect max_nr_ports to avoid invalid value
Date:   Fri, 20 Aug 2021 15:52:19 +0800
Message-Id: <20210820075219.202404-1-xianting.tian@linux.alibaba.com>
X-Mailer: git-send-email 2.17.1
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In theory untrusted remote host can pass a big or overflow value
of max_nr_ports to guest, it may cause guest system consumes
a lot of memory when create vqs and other impacts.

Add the protection to guarantee max_nr_ports to get a safe value.

Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
---
 drivers/char/virtio_console.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 7eaf303a7..bba985c81 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -29,6 +29,8 @@
 
 #define is_rproc_enabled IS_ENABLED(CONFIG_REMOTEPROC)
 
+#define MAX_NR_PORTS	MAX_NR_HVC_CONSOLES
+
 /*
  * This is a global struct for storing common data for all the devices
  * this driver handles.
@@ -2039,6 +2041,9 @@ static int virtcons_probe(struct virtio_device *vdev)
 		multiport = true;
 	}
 
+	/* limit max_nr_ports to avoid invalid value from untrusted remote host */
+	portdev->max_nr_ports = min_t(u32, portdev->max_nr_ports, MAX_NR_PORTS);
+
 	err = init_vqs(portdev);
 	if (err < 0) {
 		dev_err(&vdev->dev, "Error %d initializing vqs\n", err);
-- 
2.17.1