From patchwork Mon Jan 30 08:38:25 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
X-Patchwork-Id: 50186
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2072054wrn;
        Mon, 30 Jan 2023 00:43:50 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set8EOuVi3WNnx/egYl7LwBXBkfKiAsX17cFXRaMZ0REso3CrN4xH0nd/5GcwjMEHLqKU3901
X-Received: by 2002:a17:906:d786:b0:87b:dc0a:b6a4 with SMTP id
 pj6-20020a170906d78600b0087bdc0ab6a4mr10784631ejb.75.1675068229915;
        Mon, 30 Jan 2023 00:43:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1675068229; cv=none;
        d=google.com; s=arc-20160816;
        b=VUJ4yfT1Re9gRHQ53255a6Ls2gQvg5Ga/Yzp/PDx4L0tcxmgwQbyxTL++Evmjii9ZT
         2u8gRog3YykdDEG5cP8Kg3VmLCq6Ttqk9Tv+wlrOtmPn5Rn4m7aXqWIBNDyFz/6Byg/9
         DufYnL5Lw3UlRa7E8l76oJvw9D+hf+9HQRWTt7d3e9c2raHncBRwobDUX6Rju0zl+n6a
         Jv0blzBKYgssqfjMub2y7c9l43QAPNnaLKcOYSaJVgn07TuGxXbA7oJCM/r6KCdEDDy1
         LLz0a9yqCfvbiGnRaUcfUl0479u2cQqDeoy2VeISCV0iDAHNLYTLNZt37ek3Lol4LDuk
         m9uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :content-language:accept-language:message-id:date:thread-index
         :thread-topic:subject:cc:to:from:dkim-signature:dkim-filter;
        bh=agMVttkQdrdnZ7Lt7FebUhOujNvpzMkU8Mwse9HV7zY=;
        b=Q+xAtc7rchzLoT0EkI/xwfjxZkQmb91aeY6why1Enmxgi20g354IZpRoUdDeR7Sar/
         ugz/oYHviogYoDi1I2F2FUFdlVs0SblADXmOhAEVW9adIgctmJgfTU0IT1+73AqoQZsX
         h/GkQOAvva94Xol2V3GngYZFXX10oKBlWc3vl13MCDOgXpYoCbkfD7W0hdB4o+ouT/Rr
         0+Q4Js+qNXDXTtHvyKbLGV8K/LGK57QFxC4+iMfpbROn5RTuQRns7CENHpSBzGZo68sy
         7BJ4i9TjOWvaM+EhGGwgx8SbzwrQZEdMJRhXhSWBmip+OZatxfCVnT4DnHHhS5ai72NB
         qQFw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infotecs.ru header.s=mx header.b=F3uh0uGe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 v16-20020a17090651d000b00882a397eb82si8048853ejk.343.2023.01.30.00.43.23;
        Mon, 30 Jan 2023 00:43:49 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infotecs.ru header.s=mx header.b=F3uh0uGe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236059AbjA3Iii (ORCPT <rfc822;n2h9z4@gmail.com> + 99 others);
        Mon, 30 Jan 2023 03:38:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56266 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236054AbjA3Iid (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 Jan 2023 03:38:33 -0500
Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3955E2A9A7
        for <linux-kernel@vger.kernel.org>;
 Mon, 30 Jan 2023 00:38:29 -0800 (PST)
Received: from mx0.infotecs-nt (localhost [127.0.0.1])
        by mx0.infotecs.ru (Postfix) with ESMTP id A1D211395294;
        Mon, 30 Jan 2023 11:38:25 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru A1D211395294
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx;
        t=1675067905; bh=agMVttkQdrdnZ7Lt7FebUhOujNvpzMkU8Mwse9HV7zY=;
        h=From:To:CC:Subject:Date:From;
        b=F3uh0uGe06HBVXf0cRGzhX835rxl1VKhFd6fGHfmsxC57h+fDF/Ax4NlWpZB8mTP8
         HROumvPxgCVffCMcrX5iktA1Fhg7d1Y1tTs2IaI3eJwSEX6tIgN647iDH501LhseGt
         hEI28PbXf7bxjhROIdpA2GqO0E+wkglUGGaM7x7I=
Received: from msk-exch-02.infotecs-nt (msk-exch-02.infotecs-nt [10.0.7.192])
        by mx0.infotecs-nt (Postfix) with ESMTP id 9F4D83173E2B;
        Mon, 30 Jan 2023 11:38:25 +0300 (MSK)
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
To: Joerg Roedel <joro@8bytes.org>
CC: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
        Will Deacon <will@kernel.org>,
        Robin Murphy <robin.murphy@arm.com>,
        Wan Zongshun <Vincent.Wan@amd.com>,
        "iommu@lists.linux.dev" <iommu@lists.linux.dev>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>
Subject: [PATCH] iommu/amd: @Add a length limitation for the ivrs_acpihid
 command-line parameter
Thread-Topic: [PATCH] iommu/amd: @Add a length limitation for the ivrs_acpihid
 command-line parameter
Thread-Index: AQHZNIY3Lh3R018RS0y2wA56kccocQ==
Date: Mon, 30 Jan 2023 08:38:25 +0000
Message-ID: <20230130083843.802106-1-Ilia.Gavrilov@infotecs.ru>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.17.0.10]
x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a
MIME-Version: 1.0
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 175098 [Jan 30 2023]
X-KLMS-AntiSpam-Version: 5.9.59.0
X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Auth: dkim=none
X-KLMS-AntiSpam-Info: LuaCore: 502 502
 69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6,
 {Tracking_from_domain_doesnt_match_to},
 infotecs.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2
X-MS-Exchange-Organization-SCL: -1
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, bases: 2023/01/30 06:50:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30,
 bases: 2023/01/30 05:51:00 #20820122
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756436344030583439?=
X-GMAIL-MSGID: =?utf-8?q?1756436344030583439?=

The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
because the string specifier in the format string sscanf()
has no width limitation.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Kim Phillips <kim.phillips@amd.com>
---
 drivers/iommu/amd/init.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index 467b194975b3..19a46b9f7357 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str)
 	return 1;
 }
 
+#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)
+
 static int __init parse_ivrs_acpihid(char *str)
 {
 	u32 seg = 0, bus, dev, fn;
 	char *hid, *uid, *p, *addr;
-	char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};
+	char acpiid[ACPIID_LEN] = {0};
 	int i;
 
 	addr = strchr(str, '@');
 	if (!addr) {
+		addr = strchr(str, '=');
+		if (!addr)
+			goto not_found;
+
+		++addr;
+
+		if (strlen(addr) > ACPIID_LEN)
+			goto not_found;
+
 		if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
 		    sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
 			pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
@@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str)
 	/* We have the '@', make it the terminator to get just the acpiid */
 	*addr++ = 0;
 
+	if (strlen(str) > ACPIID_LEN + 1)
+		goto not_found;
+
 	if (sscanf(str, "=%s", acpiid) != 1)
 		goto not_found;