From nobody Fri Dec 19 00:39:53 2025 Received: from mx2.aip.ooo (mx2.aip.ooo [185.232.107.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 475481DB125; Tue, 25 Mar 2025 09:45:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.232.107.102 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742895946; cv=none; b=FRr7j7c69XmJoiFRrJycSRhzi98HI1qG3m1bVnyTMlmadEPRm5bWlMMFLmfumSsZauTr2Uz7YLzolMEay8oEOPUa9RShoi0peKB40/el+AOZkvWp0rL+s9uhrkXVQ3LdSqVd8pBR6lshRXVLg97iaUuHfjkrSM15dQnK2+SpIhA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742895946; c=relaxed/simple; bh=hHMCEXxzUqIp7Lmp8dSlKc13OfFAgtId5ffLRKJJG+8=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=dDVCw28jn+huseZdVgRBDK9sE2/2W44zUcWNQjW0+fYdQEC8hzGFmURbnK9bo+HqItd2Geb2aLGdUc6OZtFpjChR5rmnj10oNyaaFTrjcUzFM2I1i42xqfHyTynTg/rak1FFDC05HSRxmRYB3K9rWiWmBxSRRNqu/ZCjf87eIn0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=cyberprotect.ru; spf=pass smtp.mailfrom=cyberprotect.ru; arc=none smtp.client-ip=185.232.107.102 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=cyberprotect.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cyberprotect.ru Received: from aip-exch-2.aip.ooo ([10.77.28.102] helo=aip-exch.aip.ooo) by mx2.aip.ooo with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tx0VW-004s05-AC; Tue, 25 Mar 2025 12:23:38 +0300 Received: from 10.77.154.78 (10.77.154.78) by AIP-EXCH-2.aip.ooo (10.77.28.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Tue, 25 Mar 2025 12:23:37 +0300 From: Pavel Paklov To: Joerg Roedel CC: , Pavel Paklov , Suravee Suthikulpanit , Will Deacon , Robin Murphy , Wan Zongshun , , , , Subject: [PATCH] iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Date: Tue, 25 Mar 2025 09:22:44 +0000 Message-ID: <20250325092259.392844-1-Pavel.Paklov@cyberprotect.ru> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SA-Exim-Connect-IP: 10.77.28.102 X-SA-Exim-Mail-From: Pavel.Paklov@cyberprotect.ru X-SA-Exim-Scanned: No (on mx2.aip.ooo); SAEximRunCond expanded to false Content-Type: text/plain; charset="utf-8" There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the check is insufficient in some cases. For example if the length of hid=20 string is 4 and the length of the uid string is 260, the length of str=20 will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer=20 which size is 256. The same applies to the hid string with length 13 and uid string with=20 length 250. Check the length of hid and uid strings separately to prevent=20 buffer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") Cc: stable@vger.kernel.org Signed-off-by: Pavel Paklov --- drivers/iommu/amd/init.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index cb536d372b12..fb82f8035c0f 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -3677,6 +3677,14 @@ static int __init parse_ivrs_acpihid(char *str) while (*uid =3D=3D '0' && *(uid + 1)) uid++; =20 + if (strlen(hid) >=3D ACPIHID_HID_LEN) { + pr_err("Invalid command line: hid is too long\n"); + return 1; + } else if (strlen(uid) >=3D ACPIHID_UID_LEN) { + pr_err("Invalid command line: uid is too long\n"); + return 1; + } + i =3D early_acpihid_map_size++; memcpy(early_acpihid_map[i].hid, hid, strlen(hid)); memcpy(early_acpihid_map[i].uid, uid, strlen(uid)); --=20 2.43.0