Hi, Benjamin, I'm working on a related fix for 'vcn_v3_0_dec_msg()' that you might want to be aware of. In you update bounds check:
if (size < 4 || offset + size > end - addr) the 'offset' and 'size' fields in the VCN decode message buffer are both u32 values sourced from userspace. The check performs 32-bit arithmetic before comparison against the 64-bit 'end' value, allowing a crafted message with offset=0xffffffff and size=1 to wrap around to 0 and bypass the bounds check. Fix this by cast 'offset' to u64 before the addition so the comparison is done in 64-bit arithmetic. Best regards, Alexey Nepomnyashih
