Commit 79976620 authored Aug 05, 2025 by Radim Krčmář Committed by Anup Patel Aug 25, 2025

RISC-V: KVM: fix stack overrun when loading vlenb



The userspace load can put up to 2048 bits into an xlen bit stack
buffer.  We want only xlen bits, so check the size beforehand.

Fixes: 2fa29037 ("RISC-V: KVM: add 'vlenb' Vector CSR")
Cc: stable@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@ventanamicro.com>
Reviewed-by: Nutty Liu <liujingqi@lanxincomputing.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Link: https://lore.kernel.org/r/20250805104418.196023-4-rkrcmar@ventanamicro.com


Signed-off-by: Anup Patel <anup@brainfault.org>

parent e61a12a4

arch/riscv/kvm/vcpu_vector.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -182,6 +182,8 @@ int kvm_riscv_vcpu_set_reg_vector(struct kvm_vcpu *vcpu,
		struct kvm_cpu_context *cntx = &vcpu->arch.guest_context;
		unsigned long reg_val;

		if (reg_size != sizeof(reg_val))
		return -EINVAL;
		if (copy_from_user(&reg_val, uaddr, reg_size))
		return -EFAULT;
		if (reg_val != cntx->vector.vlenb)