Message ID | 20230130083843.802106-1-Ilia.Gavrilov@infotecs.ru |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2072054wrn; Mon, 30 Jan 2023 00:43:50 -0800 (PST) X-Google-Smtp-Source: AK7set8EOuVi3WNnx/egYl7LwBXBkfKiAsX17cFXRaMZ0REso3CrN4xH0nd/5GcwjMEHLqKU3901 X-Received: by 2002:a17:906:d786:b0:87b:dc0a:b6a4 with SMTP id pj6-20020a170906d78600b0087bdc0ab6a4mr10784631ejb.75.1675068229915; Mon, 30 Jan 2023 00:43:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1675068229; cv=none; d=google.com; s=arc-20160816; b=VUJ4yfT1Re9gRHQ53255a6Ls2gQvg5Ga/Yzp/PDx4L0tcxmgwQbyxTL++Evmjii9ZT 2u8gRog3YykdDEG5cP8Kg3VmLCq6Ttqk9Tv+wlrOtmPn5Rn4m7aXqWIBNDyFz/6Byg/9 DufYnL5Lw3UlRa7E8l76oJvw9D+hf+9HQRWTt7d3e9c2raHncBRwobDUX6Rju0zl+n6a Jv0blzBKYgssqfjMub2y7c9l43QAPNnaLKcOYSaJVgn07TuGxXbA7oJCM/r6KCdEDDy1 LLz0a9yqCfvbiGnRaUcfUl0479u2cQqDeoy2VeISCV0iDAHNLYTLNZt37ek3Lol4LDuk m9uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature:dkim-filter; bh=agMVttkQdrdnZ7Lt7FebUhOujNvpzMkU8Mwse9HV7zY=; b=Q+xAtc7rchzLoT0EkI/xwfjxZkQmb91aeY6why1Enmxgi20g354IZpRoUdDeR7Sar/ ugz/oYHviogYoDi1I2F2FUFdlVs0SblADXmOhAEVW9adIgctmJgfTU0IT1+73AqoQZsX h/GkQOAvva94Xol2V3GngYZFXX10oKBlWc3vl13MCDOgXpYoCbkfD7W0hdB4o+ouT/Rr 0+Q4Js+qNXDXTtHvyKbLGV8K/LGK57QFxC4+iMfpbROn5RTuQRns7CENHpSBzGZo68sy 7BJ4i9TjOWvaM+EhGGwgx8SbzwrQZEdMJRhXhSWBmip+OZatxfCVnT4DnHHhS5ai72NB qQFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=F3uh0uGe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v16-20020a17090651d000b00882a397eb82si8048853ejk.343.2023.01.30.00.43.23; Mon, 30 Jan 2023 00:43:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=F3uh0uGe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236059AbjA3Iii (ORCPT <rfc822;n2h9z4@gmail.com> + 99 others); Mon, 30 Jan 2023 03:38:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236054AbjA3Iid (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 30 Jan 2023 03:38:33 -0500 Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3955E2A9A7 for <linux-kernel@vger.kernel.org>; Mon, 30 Jan 2023 00:38:29 -0800 (PST) Received: from mx0.infotecs-nt (localhost [127.0.0.1]) by mx0.infotecs.ru (Postfix) with ESMTP id A1D211395294; Mon, 30 Jan 2023 11:38:25 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru A1D211395294 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx; t=1675067905; bh=agMVttkQdrdnZ7Lt7FebUhOujNvpzMkU8Mwse9HV7zY=; h=From:To:CC:Subject:Date:From; b=F3uh0uGe06HBVXf0cRGzhX835rxl1VKhFd6fGHfmsxC57h+fDF/Ax4NlWpZB8mTP8 HROumvPxgCVffCMcrX5iktA1Fhg7d1Y1tTs2IaI3eJwSEX6tIgN647iDH501LhseGt hEI28PbXf7bxjhROIdpA2GqO0E+wkglUGGaM7x7I= Received: from msk-exch-02.infotecs-nt (msk-exch-02.infotecs-nt [10.0.7.192]) by mx0.infotecs-nt (Postfix) with ESMTP id 9F4D83173E2B; Mon, 30 Jan 2023 11:38:25 +0300 (MSK) From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> To: Joerg Roedel <joro@8bytes.org> CC: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>, Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>, Wan Zongshun <Vincent.Wan@amd.com>, "iommu@lists.linux.dev" <iommu@lists.linux.dev>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, "lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org> Subject: [PATCH] iommu/amd: @Add a length limitation for the ivrs_acpihid command-line parameter Thread-Topic: [PATCH] iommu/amd: @Add a length limitation for the ivrs_acpihid command-line parameter Thread-Index: AQHZNIY3Lh3R018RS0y2wA56kccocQ== Date: Mon, 30 Jan 2023 08:38:25 +0000 Message-ID: <20230130083843.802106-1-Ilia.Gavrilov@infotecs.ru> Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.17.0.10] x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-KLMS-Rule-ID: 1 X-KLMS-Message-Action: clean X-KLMS-AntiSpam-Lua-Profiles: 175098 [Jan 30 2023] X-KLMS-AntiSpam-Version: 5.9.59.0 X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru X-KLMS-AntiSpam-Rate: 0 X-KLMS-AntiSpam-Status: not_detected X-KLMS-AntiSpam-Method: none X-KLMS-AntiSpam-Auth: dkim=none X-KLMS-AntiSpam-Info: LuaCore: 502 502 69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6, {Tracking_from_domain_doesnt_match_to}, infotecs.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2 X-MS-Exchange-Organization-SCL: -1 X-KLMS-AntiSpam-Interceptor-Info: scan successful X-KLMS-AntiPhishing: Clean, bases: 2023/01/30 06:50:00 X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/01/30 05:51:00 #20820122 X-KLMS-AntiVirus-Status: Clean, skipped X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756436344030583439?= X-GMAIL-MSGID: =?utf-8?q?1756436344030583439?= |
Series |
iommu/amd: @Add a length limitation for the ivrs_acpihid command-line parameter
|
|
Commit Message
Gavrilov Ilia
Jan. 30, 2023, 8:38 a.m. UTC
The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
because the string specifier in the format string sscanf()
has no width limitation.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
drivers/iommu/amd/init.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
Comments
Not sure what that '@' is doing in the subject line... On 1/30/23 2:38 AM, Gavrilov Ilia wrote: > The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, > because the string specifier in the format string sscanf() > has no width limitation. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> cc: stable? > --- > drivers/iommu/amd/init.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c > index 467b194975b3..19a46b9f7357 100644 > --- a/drivers/iommu/amd/init.c > +++ b/drivers/iommu/amd/init.c > @@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str) > return 1; > } > > +#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) > + > static int __init parse_ivrs_acpihid(char *str) > { > u32 seg = 0, bus, dev, fn; > char *hid, *uid, *p, *addr; > - char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; > + char acpiid[ACPIID_LEN] = {0}; > int i; > > addr = strchr(str, '@'); > if (!addr) { > + addr = strchr(str, '='); > + if (!addr) > + goto not_found; > + > + ++addr; > + > + if (strlen(addr) > ACPIID_LEN) > + goto not_found; > + > if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || > sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { > pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", > @@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str) > /* We have the '@', make it the terminator to get just the acpiid */ > *addr++ = 0; > > + if (strlen(str) > ACPIID_LEN + 1) > + goto not_found; > + > if (sscanf(str, "=%s", acpiid) != 1) > goto not_found; > That works, or, this fix might be able to be made more brief if we could transform all the sscanf's '%s's to: "%" __stringify(ACPIID_LEN) "s" but the latter might make the already long sscanf line lengths longer... Either way: Reviewed-by: Kim Phillips <kim.phillips@amd.com> Kim
On 2/2/23 03:44, Kim Phillips wrote: > Not sure what that '@' is doing in the subject line... > Sorry, this is my typo. I'll fix it in V2. > On 1/30/23 2:38 AM, Gavrilov Ilia wrote: >> The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, >> because the string specifier in the format string sscanf() >> has no width limitation. >> >> Found by InfoTeCS on behalf of Linux Verification Center >> (linuxtesting.org) with SVACE. >> >> Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel >> parameter") >> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> > > cc: stable? > I'll add it to V2. >> --- >> drivers/iommu/amd/init.c | 16 +++++++++++++++- >> 1 file changed, 15 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c >> index 467b194975b3..19a46b9f7357 100644 >> --- a/drivers/iommu/amd/init.c >> +++ b/drivers/iommu/amd/init.c >> @@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str) >> return 1; >> } >> +#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) >> + >> static int __init parse_ivrs_acpihid(char *str) >> { >> u32 seg = 0, bus, dev, fn; >> char *hid, *uid, *p, *addr; >> - char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; >> + char acpiid[ACPIID_LEN] = {0}; >> int i; >> addr = strchr(str, '@'); >> if (!addr) { >> + addr = strchr(str, '='); >> + if (!addr) >> + goto not_found; >> + >> + ++addr; >> + >> + if (strlen(addr) > ACPIID_LEN) >> + goto not_found; >> + >> if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == >> 4 || >> sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, >> acpiid) == 5) { >> pr_warn("ivrs_acpihid%s option format deprecated; use >> ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", >> @@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str) >> /* We have the '@', make it the terminator to get just the >> acpiid */ >> *addr++ = 0; >> + if (strlen(str) > ACPIID_LEN + 1) >> + goto not_found; >> + >> if (sscanf(str, "=%s", acpiid) != 1) >> goto not_found; > > That works, or, this fix might be able to be made more brief if > we could transform all the sscanf's '%s's to: > > "%" __stringify(ACPIID_LEN) "s" > I tried to use __stringify, but I didn't find a brief way to do it correctly for the expression (ACPIHID_UID_LAN + ACPIHID_HID_LAN). The preprocessor does not evaluates a constant, but simply substitutes (256+9). > but the latter might make the already long sscanf line lengths longer... > > Either way: > > Reviewed-by: Kim Phillips <kim.phillips@amd.com> > > Kim Thank you for review.
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index 467b194975b3..19a46b9f7357 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str) return 1; } +#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) + static int __init parse_ivrs_acpihid(char *str) { u32 seg = 0, bus, dev, fn; char *hid, *uid, *p, *addr; - char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; + char acpiid[ACPIID_LEN] = {0}; int i; addr = strchr(str, '@'); if (!addr) { + addr = strchr(str, '='); + if (!addr) + goto not_found; + + ++addr; + + if (strlen(addr) > ACPIID_LEN) + goto not_found; + if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", @@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str) /* We have the '@', make it the terminator to get just the acpiid */ *addr++ = 0; + if (strlen(str) > ACPIID_LEN + 1) + goto not_found; + if (sscanf(str, "=%s", acpiid) != 1) goto not_found;