[PATCH v2] Drivers: hv: mshv: fix integer overflow in memory region overlap check

Sat, 28 Mar 2026 02:22:03 -0700 

mshv_partition_create_region() computes mem->guest_pfn + nr_pages to
check for overlapping regions without verifying u64 wraparound. A
sufficiently large guest_pfn can cause the addition to overflow,
bypassing the overlap check and allowing creation of regions that wrap
around the address space.

Fix by using check_add_overflow() to reject such regions early, and
validate that the region end does not exceed MAX_PHYSMEM_BITS. These
checks also protect downstream callers that compute start_gfn +
nr_pages on stored regions without overflow guards.

Fixes: 621191d709b1 ("Drivers: hv: Introduce mshv_root module to expose 
/dev/mshv to VMMs")
Reported-by: Yuhao Jiang <[email protected]>
Suggested-by: Roman Kisel <[email protected]>
Cc: [email protected]
Signed-off-by: Junrui Luo <[email protected]>
---
Changes in v2:
- Add a maximum check suggested by Roman Kisel
- Link to v1: 
https://lore.kernel.org/all/sybpr01mb7881689c0f58149dd986a6d1af...@sybpr01mb7881.ausprd01.prod.outlook.com/
---
 drivers/hv/mshv_root_main.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
index 6f42423f7faa..32826247dbce 100644
--- a/drivers/hv/mshv_root_main.c
+++ b/drivers/hv/mshv_root_main.c
@@ -1174,11 +1174,20 @@ static int mshv_partition_create_region(struct 
mshv_partition *partition,
 {
        struct mshv_mem_region *rg;
        u64 nr_pages = HVPFN_DOWN(mem->size);
+       u64 new_region_end;
+
+       /* Reject regions whose end address would wrap around */
+       if (check_add_overflow(mem->guest_pfn, nr_pages, &new_region_end))
+               return -EOVERFLOW;
+
+       /* Reject regions beyond the maximum physical address */
+       if (new_region_end > HVPFN_DOWN(1ULL << MAX_PHYSMEM_BITS))
+               return -EINVAL;
 
        /* Reject overlapping regions */
        spin_lock(&partition->pt_mem_regions_lock);
        hlist_for_each_entry(rg, &partition->pt_mem_regions, hnode) {
-               if (mem->guest_pfn + nr_pages <= rg->start_gfn ||
+               if (new_region_end <= rg->start_gfn ||
                    rg->start_gfn + rg->nr_pages <= mem->guest_pfn)
                        continue;
                spin_unlock(&partition->pt_mem_regions_lock);

---
base-commit: c369299895a591d96745d6492d4888259b004a9e
change-id: 20260328-fixes-0296eb3dbb52

Best regards,
-- 
Junrui Luo <[email protected]>

Reply via email to