From nobody Tue Dec 2 02:19:17 2025 Received: from out30-97.freemail.mail.aliyun.com (out30-97.freemail.mail.aliyun.com [115.124.30.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E9FE2DE70A for ; Wed, 19 Nov 2025 10:11:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.97 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763547086; cv=none; b=phlMwsy7GHH3szJFe2HvrTqQRhecYHgDkb4iAxk/axgj4/Qu9VPkqTgSA2+dgLsK34/5XmgQuS5JK1kzCCoPbavbgOFoMsKtG1VODMPMpO66UH7K4xUVIbPwiNX50vzxIzuj5qm7fFkI0hA+hANP3EB0EFIs1+UgeLL/as1Ctes= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763547086; c=relaxed/simple; bh=z/0L1TePVtfIdgRnNpuCOyGK4s2mY4Cug2b/gXiNGYQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DZ6lfC050wDBsXsGpUExxkAD+4iMtDcORcN8zUoP9Qy06YgmrfN8clzFBnwloKuRCVK0iBsRs676r9EZljnK4LIF4J9HlHr8qyubz2AjMs1BSXYaBqqEOB9jexhFPntFjmxJdT7nZcCkHSc9xGhW1fqsBh/i8EjKJKy33hVBc2Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=rl5qq9se; arc=none smtp.client-ip=115.124.30.97 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="rl5qq9se" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1763547081; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=yeEwOY82tusfnY4T1KHOvhl3Q7APzLBBKypJZMSacH0=; b=rl5qq9seWRfKJ9Z7neAY5Fn9c6IlnX+x4Z6UYoujXrfWmKth1MQpI+OTpMcjtRh7G0/Jpba7+pp1GwkIaanTlyZu8+CTQB0JvPksJC/dypFJEv5JS1rkWrVmql7NiOud4nP9QVTDRUg60haMLizloriNzU7Tlxma/06lcRwGvzQ= Received: from localhost(mailfrom:kanie@linux.alibaba.com fp:SMTPD_---0WsoOAPl_1763547076 cluster:ay36) by smtp.aliyun-inc.com; Wed, 19 Nov 2025 18:11:21 +0800 From: Guixin Liu To: Bjorn Helgaas , Andy Shevchenko Cc: linux-kernel@vger.kernel.org Subject: [PATCH v2] PCI: Check rom header and data structure addr before accessing Date: Wed, 19 Nov 2025 18:11:16 +0800 Message-ID: <20251119101116.74307-1-kanie@linux.alibaba.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" We meet a crash when running stress-ng: BUG: unable to handle page fault for address: ffa0000007f40000 RIP: 0010:pci_get_rom_size+0x52/0x220 Call Trace: pci_map_rom+0x80/0x130 pci_read_rom+0x4b/0xe0 kernfs_file_read_iter+0x96/0x180 vfs_read+0x1b1/0x300 ksys_read+0x63/0xe0 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Our analysis reveals that the rom space's start address is 0xffa0000007f30000, and size is 0x10000. Because of broken rom space, before calling readl(pds), the pds's value is 0xffa0000007f3ffff, which is already pointed to the rom space end, invoking readl() would read 4 bytes therefore cause an out-of-bounds access and trigger a crash. Fix this by adding image header and data structure checking. Fixes: 47b975d234ea ("PCI: Avoid iterating through memory outside the resou= rce window") Suggested-by: Guanghui Feng Signed-off-by: Guixin Liu --- v1 -> v2: - Fix commit body problems, such as blank line in "Call Trace" both sides, thanks, (Andy Shevchenko).=20 - Remove every step checking, just check the addr is in header or data stru= ct. - Add Suggested-by: Guanghui Feng tag. drivers/pci/rom.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c index e18d3a4383ba..16d601e7ffcc 100644 --- a/drivers/pci/rom.c +++ b/drivers/pci/rom.c @@ -69,6 +69,9 @@ void pci_disable_rom(struct pci_dev *pdev) } EXPORT_SYMBOL_GPL(pci_disable_rom); =20 +#define PCI_ROM_HEADER_SIZE 0x1A +#define PCI_ROM_DATA_STRUCT_SIZE 0x1B + /** * pci_get_rom_size - obtain the actual size of the ROM image * @pdev: target PCI device @@ -83,6 +86,7 @@ EXPORT_SYMBOL_GPL(pci_disable_rom); static size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size) { + void __iomem *end =3D rom + size; void __iomem *image; int last_image; unsigned int length; @@ -90,14 +94,21 @@ static size_t pci_get_rom_size(struct pci_dev *pdev, vo= id __iomem *rom, image =3D rom; do { void __iomem *pds; + + if (image + PCI_ROM_HEADER_SIZE >=3D end) + break; + /* Standard PCI ROMs start out with these bytes 55 AA */ if (readw(image) !=3D 0xAA55) { pci_info(pdev, "Invalid PCI ROM header signature: expecting 0xaa55, got= %#06x\n", readw(image)); break; } + /* get the PCI data structure and check its "PCIR" signature */ pds =3D image + readw(image + 24); + if (pds + PCI_ROM_DATA_STRUCT_SIZE >=3D end) + break; if (readl(pds) !=3D 0x52494350) { pci_info(pdev, "Invalid PCI ROM data signature: expecting 0x52494350, g= ot %#010x\n", readl(pds)); @@ -106,8 +117,9 @@ static size_t pci_get_rom_size(struct pci_dev *pdev, vo= id __iomem *rom, last_image =3D readb(pds + 21) & 0x80; length =3D readw(pds + 16); image +=3D length * 512; + /* Avoid iterating through memory outside the resource window */ - if (image >=3D rom + size) + if (image + PCI_ROM_HEADER_SIZE >=3D end) break; if (!last_image) { if (readw(image) !=3D 0xAA55) { --=20 2.43.0