From patchwork Thu Feb 2 08:26:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gavrilov Ilia X-Patchwork-Id: 51789 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp112572wrn; Thu, 2 Feb 2023 00:32:40 -0800 (PST) X-Google-Smtp-Source: AK7set8CPZfLAxrUs0wQcHo7zDK7hLcVBECAYp/KhRjqPPRtRrjvcnnohK0NB40YzZZK7su7PUk7 X-Received: by 2002:a17:90b:384c:b0:22c:5360:684e with SMTP id nl12-20020a17090b384c00b0022c5360684emr5229308pjb.29.1675326760584; Thu, 02 Feb 2023 00:32:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1675326760; cv=none; d=google.com; s=arc-20160816; b=Sa7PVJyUmuJoFi6jHnMAxjs8j+XcL8X20Z2v22jQ+ogSvthVTn3fkAAqhHgce4zmYr QTo/9rSDuiSwl7UpklAqYAfAS3LMURlVhsS4yHvgbiipOeVineZxnysjp9wjJ2TwhYuV LrvwZEXh3NGdK0pU5wyjFOeChG4rTeIm2J2fmSvfPEKewH++TQAacg9yoAAquRVxi50m C2DlYKUWoZmo1gIO7oIVRmB6b8K6WTD/tkD+x/tyL+2l4XlGh7j2Uim1VteV9B1S1sTr Z5r7q53EYZi/pKx0i/DyK5SjKhrM9RyuyRGdRR1trjcBlDM1gayZjp5NhFIFeqJg2Cvj W6Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature :dkim-filter; bh=P4Sz+Or5QkPB22EwbVluoSpgaCwjgCRN0S/0gr+vhzU=; b=SSxpw6juwd5UtAVcfb1pKKOyFLd6syCb6YlQgUOn1f2plvgOTWFJiGOZiJv6hkMbRS polbYXQAUkmJ6Uo11UeFXgZRF0+wMq2VdSuLpOCTfsy46oo24Vjqz/kfZkigUku42P3Z HQlpkw47mM4KDBCqaCu7DI+v1vVk/AkkIQ6N2TfJeFhqG3CXsYjMBivikslOtUjwqG0I Q9FBJ2LpKBg9NLRuN5Swdsa7PAuBqsiwSPtGUNZ0/nJumhPzX7kNtZzXIa9koQG+6mE3 SIx8A97h9X3WiCC+Plr9AA6M9G8F7pCXp3dhdVT8gu1JOTN6tIV2gx0YkHOXxE3AlFbV joSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=hUfRX5pC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v17-20020a63b951000000b004a77afad410si24574410pgo.487.2023.02.02.00.32.28; Thu, 02 Feb 2023 00:32:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=hUfRX5pC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232116AbjBBI1E (ORCPT + 99 others); Thu, 2 Feb 2023 03:27:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42344 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229546AbjBBI1C (ORCPT ); Thu, 2 Feb 2023 03:27:02 -0500 Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0688C8624D for ; Thu, 2 Feb 2023 00:26:58 -0800 (PST) Received: from mx0.infotecs-nt (localhost [127.0.0.1]) by mx0.infotecs.ru (Postfix) with ESMTP id E8FC013ED236; Thu, 2 Feb 2023 11:26:56 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru E8FC013ED236 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx; t=1675326417; bh=P4Sz+Or5QkPB22EwbVluoSpgaCwjgCRN0S/0gr+vhzU=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=hUfRX5pCc32k5dkeDAzM5xQL98bzrQ3Aao7+lHC3atpQrZSEvTGKrTJgTNCRdhInz 5Cq+8V1yFtZMGIhjlZFI0zE7ML7YCTbolOQOMvmQvQFF+5Z5pJZab22Xz2YBBsjUKM UWgefXPVUtuUUnMigIUKSqrqLVjIX2b9cqwahszs= Received: from msk-exch-01.infotecs-nt (msk-exch-01.infotecs-nt [10.0.7.191]) by mx0.infotecs-nt (Postfix) with ESMTP id E388D3069DA4; Thu, 2 Feb 2023 11:26:56 +0300 (MSK) From: Gavrilov Ilia To: "kim.phillips@amd.com" CC: Gavrilov Ilia , "Vincent.Wan@amd.com" , "iommu@lists.linux.dev" , "joro@8bytes.org" , "linux-kernel@vger.kernel.org" , "lvc-project@linuxtesting.org" , "robin.murphy@arm.com" , "suravee.suthikulpanit@amd.com" , "will@kernel.org" , "stable@vger.kernel.org" Subject: [PATCH v2] iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter Thread-Topic: [PATCH v2] iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter Thread-Index: AQHZNuAcYYi++x82V0GUoMRoGydTPg== Date: Thu, 2 Feb 2023 08:26:56 +0000 Message-ID: <20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru> References: <39506e9f-9bbb-fcf6-b488-542fd3657eae@amd.com> In-Reply-To: <39506e9f-9bbb-fcf6-b488-542fd3657eae@amd.com> Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.17.0.10] x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a MIME-Version: 1.0 X-KLMS-Rule-ID: 1 X-KLMS-Message-Action: clean X-KLMS-AntiSpam-Lua-Profiles: 175194 [Feb 02 2023] X-KLMS-AntiSpam-Version: 5.9.59.0 X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru X-KLMS-AntiSpam-Rate: 0 X-KLMS-AntiSpam-Status: not_detected X-KLMS-AntiSpam-Method: none X-KLMS-AntiSpam-Auth: dkim=none X-KLMS-AntiSpam-Info: LuaCore: 502 502 69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6, {Tracking_from_domain_doesnt_match_to}, infotecs.ru:7.1.1;127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-MS-Exchange-Organization-SCL: -1 X-KLMS-AntiSpam-Interceptor-Info: scan successful X-KLMS-AntiPhishing: Clean, bases: 2023/02/02 07:35:00 X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/02/02 02:42:00 #20830374 X-KLMS-AntiVirus-Status: Clean, skipped X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756707433548121237?= X-GMAIL-MSGID: =?utf-8?q?1756707433548121237?= The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, because the string specifier in the format string sscanf() has no width limitation. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") Cc: stable@vger.kernel.org Signed-off-by: Ilia.Gavrilov --- V2: Fix typo in the subject drivers/iommu/amd/init.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index 467b194975b3..19a46b9f7357 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -3475,15 +3475,26 @@ static int __init parse_ivrs_hpet(char *str) return 1; } +#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN) + static int __init parse_ivrs_acpihid(char *str) { u32 seg = 0, bus, dev, fn; char *hid, *uid, *p, *addr; - char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; + char acpiid[ACPIID_LEN] = {0}; int i; addr = strchr(str, '@'); if (!addr) { + addr = strchr(str, '='); + if (!addr) + goto not_found; + + ++addr; + + if (strlen(addr) > ACPIID_LEN) + goto not_found; + if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", @@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str) /* We have the '@', make it the terminator to get just the acpiid */ *addr++ = 0; + if (strlen(str) > ACPIID_LEN + 1) + goto not_found; + if (sscanf(str, "=%s", acpiid) != 1) goto not_found;