From 525ce2f11ccb6b24db925dc04a421f09acb34598 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Mon, 25 Nov 2024 15:52:58 -0500
Subject: [PATCH] virtio_net: Add hash_key_length check

JIRA: https://issues.redhat.com/browse/RHEL-68253
CVE: CVE-2024-53082
Upstream: Merged

commit 3f7d9c1964fcd16d02a8a9d4fd6f6cb60c4cc530
Author: Philo Lu <lulie@linux.alibaba.com>
Date:   Mon Nov 4 16:57:04 2024 +0800

    virtio_net: Add hash_key_length check

    Add hash_key_length check in virtnet_probe() to avoid possible out of
    bound errors when setting/reading the hash key.

    Fixes: c7114b1249fa ("drivers/net/virtio_net: Added basic RSS support.")
    Signed-off-by: Philo Lu <lulie@linux.alibaba.com>
    Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
    Acked-by: Joe Damato <jdamato@fastly.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
 drivers/net/virtio_net.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 0b7866a374d2..f51efd3ea69e 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -4317,6 +4317,12 @@ static int virtnet_probe(struct virtio_device *vdev)
 				rss_max_indirection_table_length));
 		vi->rss_key_size =
 			virtio_cread8(vdev, offsetof(struct virtio_net_config, rss_max_key_size));
+		if (vi->rss_key_size > VIRTIO_NET_RSS_MAX_KEY_SIZE) {
+			dev_err(&vdev->dev, "rss_max_key_size=%u exceeds the limit %u.\n",
+				vi->rss_key_size, VIRTIO_NET_RSS_MAX_KEY_SIZE);
+			err = -EINVAL;
+			goto free;
+		}
 
 		vi->rss_hash_types_supported =
 		    virtio_cread32(vdev, offsetof(struct virtio_net_config, supported_hash_types));