powerpc/lib: Validate size for vector operations

jira VULN-8150
cve CVE-2023-52606
commit-author Naveen N Rao <[email protected]>
commit 8f9abaa

Some of the fp/vmx code in sstep.c assume a certain maximum size for the
instructions being emulated. The size of those operations however is
determined separately in analyse_instr().

Add a check to validate the assumption on the maximum size of the
operations, so as to prevent any unintended kernel stack corruption.

	Signed-off-by: Naveen N Rao <[email protected]>
	Reviewed-by: Gustavo A. R. Silva <[email protected]>
Build-tested-by: Gustavo A. R. Silva <[email protected]>
	Signed-off-by: Michael Ellerman <[email protected]>
Link: https://msgid.link/[email protected]
(cherry picked from commit 8f9abaa)
	Signed-off-by: Marcin Wcisło <[email protected]>

Author: pvts-mat

arch/powerpc/lib/sstep.c

@@ -591,6 +591,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea,
 	} u;
 
 	nb = GETSIZE(op->type);
+	if (nb > sizeof(u))
+		return -EINVAL;
 	if (!address_ok(regs, ea, nb))
 		return -EFAULT;
 	rn = op->reg;
@@ -641,6 +643,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea,
 	} u;
 
 	nb = GETSIZE(op->type);
+	if (nb > sizeof(u))
+		return -EINVAL;
 	if (!address_ok(regs, ea, nb))
 		return -EFAULT;
 	rn = op->reg;
@@ -685,6 +689,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea,
 		u8 b[sizeof(__vector128)];
 	} u = {};
 
+	if (size > sizeof(u))
+		return -EINVAL;
+
 	if (!address_ok(regs, ea & ~0xfUL, 16))
 		return -EFAULT;
 	/* align to multiple of size */
@@ -712,6 +719,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea,
 		u8 b[sizeof(__vector128)];
 	} u;
 
+	if (size > sizeof(u))
+		return -EINVAL;
+
 	if (!address_ok(regs, ea & ~0xfUL, 16))
 		return -EFAULT;
 	/* align to multiple of size */