iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs

[PATCH] iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs

Posted by Eder Zulian 2 months ago

In iommu_mmio_write() and iommu_capability_write(), the variables
dbg_mmio_offset and dbg_cap_offset are declared as int. However, they
are populated using kstrtou32_from_user(). If a user provides a
sufficiently large value, it can become a negative integer.

Prior to this patch, the AMD IOMMU debugfs implementation was already
protected by different mechanisms.

1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so
   e.g. 0xffffffff isn't a valid input.

  if (cnt > OFS_IN_SZ)
     return -EINVAL;

2. Implicit type promotion in iommu_mmio_write(), dbg_mmio_offset is int
   and iommu->mmio_phys_end is u64

  if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
      return -EINVAL;

3. The show handlers would currently catch the negative number and
   refuse to perform the read.

Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the
input, and check for negative values to explicitly prevent out-of-bounds
memory accesses directly in iommu_mmio_write() and
iommu_capability_write().

Signed-off-by: Eder Zulian <ezulian@redhat.com>
---
 drivers/iommu/amd/debugfs.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
index 4e66473d7cea..4c53b6361314 100644
--- a/drivers/iommu/amd/debugfs.c
+++ b/drivers/iommu/amd/debugfs.c
@@ -31,11 +31,12 @@ static ssize_t iommu_mmio_write(struct file *filp, const char __user *ubuf,
 	if (cnt > OFS_IN_SZ)
 		return -EINVAL;
 
-	ret = kstrtou32_from_user(ubuf, cnt, 0, &dbg_mmio_offset);
+	ret = kstrtos32_from_user(ubuf, cnt, 0, &dbg_mmio_offset);
 	if (ret)
 		return ret;
 
-	if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
+	if (dbg_mmio_offset < 0 || dbg_mmio_offset >
+			iommu->mmio_phys_end - sizeof(u64))
 		return -EINVAL;
 
 	iommu->dbg_mmio_offset = dbg_mmio_offset;
@@ -71,12 +72,12 @@ static ssize_t iommu_capability_write(struct file *filp, const char __user *ubuf
 	if (cnt > OFS_IN_SZ)
 		return -EINVAL;
 
-	ret = kstrtou32_from_user(ubuf, cnt, 0, &dbg_cap_offset);
+	ret = kstrtos32_from_user(ubuf, cnt, 0, &dbg_cap_offset);
 	if (ret)
 		return ret;
 
 	/* Capability register at offset 0x14 is the last IOMMU capability register. */
-	if (dbg_cap_offset > 0x14)
+	if (dbg_cap_offset < 0 || dbg_cap_offset > 0x14)
 		return -EINVAL;
 
 	iommu->dbg_cap_offset = dbg_cap_offset;
-- 
2.53.0

Re: [PATCH] iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs

Posted by Jörg Rödel 1 month ago

On Fri, Apr 10, 2026 at 02:55:50PM +0200, Eder Zulian wrote:
> In iommu_mmio_write() and iommu_capability_write(), the variables
> dbg_mmio_offset and dbg_cap_offset are declared as int. However, they
> are populated using kstrtou32_from_user(). If a user provides a
> sufficiently large value, it can become a negative integer.
> 
> Prior to this patch, the AMD IOMMU debugfs implementation was already
> protected by different mechanisms.
> 
> 1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so
>    e.g. 0xffffffff isn't a valid input.
> 
>   if (cnt > OFS_IN_SZ)
>      return -EINVAL;
> 
> 2. Implicit type promotion in iommu_mmio_write(), dbg_mmio_offset is int
>    and iommu->mmio_phys_end is u64
> 
>   if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
>       return -EINVAL;
> 
> 3. The show handlers would currently catch the negative number and
>    refuse to perform the read.
> 
> Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the
> input, and check for negative values to explicitly prevent out-of-bounds
> memory accesses directly in iommu_mmio_write() and
> iommu_capability_write().
> 
> Signed-off-by: Eder Zulian <ezulian@redhat.com>
> ---
>  drivers/iommu/amd/debugfs.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)

Applied for -rc, thanks.