| Message ID | 20230130083843.802106-1-Ilia.Gavrilov@infotecs.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2072054wrn;
Mon, 30 Jan 2023 00:43:50 -0800 (PST)
X-Google-Smtp-Source:
AK7set8EOuVi3WNnx/egYl7LwBXBkfKiAsX17cFXRaMZ0REso3CrN4xH0nd/5GcwjMEHLqKU3901
X-Received: by 2002:a17:906:d786:b0:87b:dc0a:b6a4 with SMTP id
pj6-20020a170906d78600b0087bdc0ab6a4mr10784631ejb.75.1675068229915;
Mon, 30 Jan 2023 00:43:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1675068229; cv=none;
d=google.com; s=arc-20160816;
b=VUJ4yfT1Re9gRHQ53255a6Ls2gQvg5Ga/Yzp/PDx4L0tcxmgwQbyxTL++Evmjii9ZT
2u8gRog3YykdDEG5cP8Kg3VmLCq6Ttqk9Tv+wlrOtmPn5Rn4m7aXqWIBNDyFz/6Byg/9
DufYnL5Lw3UlRa7E8l76oJvw9D+hf+9HQRWTt7d3e9c2raHncBRwobDUX6Rju0zl+n6a
Jv0blzBKYgssqfjMub2y7c9l43QAPNnaLKcOYSaJVgn07TuGxXbA7oJCM/r6KCdEDDy1
LLz0a9yqCfvbiGnRaUcfUl0479u2cQqDeoy2VeISCV0iDAHNLYTLNZt37ek3Lol4LDuk
m9uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:content-language:accept-language:message-id:date:thread-index
:thread-topic:subject:cc:to:from:dkim-signature:dkim-filter;
bh=agMVttkQdrdnZ7Lt7FebUhOujNvpzMkU8Mwse9HV7zY=;
b=Q+xAtc7rchzLoT0EkI/xwfjxZkQmb91aeY6why1Enmxgi20g354IZpRoUdDeR7Sar/
ugz/oYHviogYoDi1I2F2FUFdlVs0SblADXmOhAEVW9adIgctmJgfTU0IT1+73AqoQZsX
h/GkQOAvva94Xol2V3GngYZFXX10oKBlWc3vl13MCDOgXpYoCbkfD7W0hdB4o+ouT/Rr
0+Q4Js+qNXDXTtHvyKbLGV8K/LGK57QFxC4+iMfpbROn5RTuQRns7CENHpSBzGZo68sy
7BJ4i9TjOWvaM+EhGGwgx8SbzwrQZEdMJRhXhSWBmip+OZatxfCVnT4DnHHhS5ai72NB
qQFw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b=F3uh0uGe;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
v16-20020a17090651d000b00882a397eb82si8048853ejk.343.2023.01.30.00.43.23;
Mon, 30 Jan 2023 00:43:49 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b=F3uh0uGe;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S236059AbjA3Iii (ORCPT <rfc822;n2h9z4@gmail.com> + 99 others);
Mon, 30 Jan 2023 03:38:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56266 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S236054AbjA3Iid (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 30 Jan 2023 03:38:33 -0500
Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3955E2A9A7
for <linux-kernel@vger.kernel.org>;
Mon, 30 Jan 2023 00:38:29 -0800 (PST)
Received: from mx0.infotecs-nt (localhost [127.0.0.1])
by mx0.infotecs.ru (Postfix) with ESMTP id A1D211395294;
Mon, 30 Jan 2023 11:38:25 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru A1D211395294
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx;
t=1675067905; bh=agMVttkQdrdnZ7Lt7FebUhOujNvpzMkU8Mwse9HV7zY=;
h=From:To:CC:Subject:Date:From;
b=F3uh0uGe06HBVXf0cRGzhX835rxl1VKhFd6fGHfmsxC57h+fDF/Ax4NlWpZB8mTP8
HROumvPxgCVffCMcrX5iktA1Fhg7d1Y1tTs2IaI3eJwSEX6tIgN647iDH501LhseGt
hEI28PbXf7bxjhROIdpA2GqO0E+wkglUGGaM7x7I=
Received: from msk-exch-02.infotecs-nt (msk-exch-02.infotecs-nt [10.0.7.192])
by mx0.infotecs-nt (Postfix) with ESMTP id 9F4D83173E2B;
Mon, 30 Jan 2023 11:38:25 +0300 (MSK)
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
To: Joerg Roedel <joro@8bytes.org>
CC: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
Wan Zongshun <Vincent.Wan@amd.com>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>
Subject: [PATCH] iommu/amd: @Add a length limitation for the ivrs_acpihid
command-line parameter
Thread-Topic: [PATCH] iommu/amd: @Add a length limitation for the ivrs_acpihid
command-line parameter
Thread-Index: AQHZNIY3Lh3R018RS0y2wA56kccocQ==
Date: Mon, 30 Jan 2023 08:38:25 +0000
Message-ID: <20230130083843.802106-1-Ilia.Gavrilov@infotecs.ru>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.17.0.10]
x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 175098 [Jan 30 2023]
X-KLMS-AntiSpam-Version: 5.9.59.0
X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Auth: dkim=none
X-KLMS-AntiSpam-Info: LuaCore: 502 502
69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6,
{Tracking_from_domain_doesnt_match_to},
infotecs.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2
X-MS-Exchange-Organization-SCL: -1
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, bases: 2023/01/30 06:50:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30,
bases: 2023/01/30 05:51:00 #20820122
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756436344030583439?=
X-GMAIL-MSGID: =?utf-8?q?1756436344030583439?=
|
| Series |
iommu/amd: @Add a length limitation for the ivrs_acpihid command-line parameter
|
|
Commit Message
Gavrilov Ilia
Jan. 30, 2023, 8:38 a.m. UTC
The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
because the string specifier in the format string sscanf()
has no width limitation.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
drivers/iommu/amd/init.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
Comments
Not sure what that '@' is doing in the subject line... On 1/30/23 2:38 AM, Gavrilov Ilia wrote: > The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, > because the string specifier in the format string sscanf() > has no width limitation. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> cc: stable? > --- > drivers/iommu/amd/init.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c > index 467b194975b3..19a46b9f7357 100644 > --- a/drivers/iommu/amd/init.c > +++ b/drivers/iommu/amd/init.c > @@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str) > return 1; > } > > +#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) > + > static int __init parse_ivrs_acpihid(char *str) > { > u32 seg = 0, bus, dev, fn; > char *hid, *uid, *p, *addr; > - char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; > + char acpiid[ACPIID_LEN] = {0}; > int i; > > addr = strchr(str, '@'); > if (!addr) { > + addr = strchr(str, '='); > + if (!addr) > + goto not_found; > + > + ++addr; > + > + if (strlen(addr) > ACPIID_LEN) > + goto not_found; > + > if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || > sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { > pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", > @@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str) > /* We have the '@', make it the terminator to get just the acpiid */ > *addr++ = 0; > > + if (strlen(str) > ACPIID_LEN + 1) > + goto not_found; > + > if (sscanf(str, "=%s", acpiid) != 1) > goto not_found; > That works, or, this fix might be able to be made more brief if we could transform all the sscanf's '%s's to: "%" __stringify(ACPIID_LEN) "s" but the latter might make the already long sscanf line lengths longer... Either way: Reviewed-by: Kim Phillips <kim.phillips@amd.com> Kim
On 2/2/23 03:44, Kim Phillips wrote: > Not sure what that '@' is doing in the subject line... > Sorry, this is my typo. I'll fix it in V2. > On 1/30/23 2:38 AM, Gavrilov Ilia wrote: >> The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, >> because the string specifier in the format string sscanf() >> has no width limitation. >> >> Found by InfoTeCS on behalf of Linux Verification Center >> (linuxtesting.org) with SVACE. >> >> Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel >> parameter") >> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> > > cc: stable? > I'll add it to V2. >> --- >> drivers/iommu/amd/init.c | 16 +++++++++++++++- >> 1 file changed, 15 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c >> index 467b194975b3..19a46b9f7357 100644 >> --- a/drivers/iommu/amd/init.c >> +++ b/drivers/iommu/amd/init.c >> @@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str) >> return 1; >> } >> +#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) >> + >> static int __init parse_ivrs_acpihid(char *str) >> { >> u32 seg = 0, bus, dev, fn; >> char *hid, *uid, *p, *addr; >> - char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; >> + char acpiid[ACPIID_LEN] = {0}; >> int i; >> addr = strchr(str, '@'); >> if (!addr) { >> + addr = strchr(str, '='); >> + if (!addr) >> + goto not_found; >> + >> + ++addr; >> + >> + if (strlen(addr) > ACPIID_LEN) >> + goto not_found; >> + >> if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == >> 4 || >> sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, >> acpiid) == 5) { >> pr_warn("ivrs_acpihid%s option format deprecated; use >> ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", >> @@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str) >> /* We have the '@', make it the terminator to get just the >> acpiid */ >> *addr++ = 0; >> + if (strlen(str) > ACPIID_LEN + 1) >> + goto not_found; >> + >> if (sscanf(str, "=%s", acpiid) != 1) >> goto not_found; > > That works, or, this fix might be able to be made more brief if > we could transform all the sscanf's '%s's to: > > "%" __stringify(ACPIID_LEN) "s" > I tried to use __stringify, but I didn't find a brief way to do it correctly for the expression (ACPIHID_UID_LAN + ACPIHID_HID_LAN). The preprocessor does not evaluates a constant, but simply substitutes (256+9). > but the latter might make the already long sscanf line lengths longer... > > Either way: > > Reviewed-by: Kim Phillips <kim.phillips@amd.com> > > Kim Thank you for review.
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index 467b194975b3..19a46b9f7357 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str) return 1; } +#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) + static int __init parse_ivrs_acpihid(char *str) { u32 seg = 0, bus, dev, fn; char *hid, *uid, *p, *addr; - char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; + char acpiid[ACPIID_LEN] = {0}; int i; addr = strchr(str, '@'); if (!addr) { + addr = strchr(str, '='); + if (!addr) + goto not_found; + + ++addr; + + if (strlen(addr) > ACPIID_LEN) + goto not_found; + if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", @@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str) /* We have the '@', make it the terminator to get just the acpiid */ *addr++ = 0; + if (strlen(str) > ACPIID_LEN + 1) + goto not_found; + if (sscanf(str, "=%s", acpiid) != 1) goto not_found;