From nobody Tue Jun 16 08:58:45 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB49C3793C8 for ; Fri, 17 Apr 2026 07:41:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776411667; cv=none; b=uKsZiW3if8Va9ojSYEwedKu8pGZrpgWtu23mf9zREVSqeaqbmpMS6PdgsIqmjtFLuhJHSbJnYphIu/lq5f8/YDCJsU4byPsgBEVU5ILfa3U/el2qFBGtd9kVsZ5bSHK2JfVBpYnl5j5u4xgflKgoNb/iIVri6SUNJyZpzQ0RFSY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776411667; c=relaxed/simple; bh=P+1OUKrFhqeppy+H4hGcPOuGEWpGYya3ogNT35nF38Q=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=i2LgG73C8b+ibu/mRoWUqJ96rpTZnd30BxULLrqSW/r9elWZwPaBHBoqoj82tHS6oWHbL0TgolXY/OBG72WL8Rsy1IfQJlNPzGSJwDrAo9FrM9oQ/sbMQPgBZGuIDdDHm9yWQ7ScsTnycYnreOHlFRCmRy3hvuaVQ6y/tq6AIfc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.116]) by APP-05 (Coremail) with SMTP id zQCowAAnfhEK5OFpCQnYDQ--.60278S2; Fri, 17 Apr 2026 15:40:58 +0800 (CST) From: Pengpeng Hou To: Richard Weinberger , Anton Ivanov Cc: Johannes Berg , Tiwei Bie , linux-um@lists.infradead.org, linux-kernel@vger.kernel.org, Pengpeng Hou Subject: [PATCH] um: vfio: bound the iommu_group sysfs path formatting Date: Fri, 17 Apr 2026 15:40:56 +0800 Message-ID: <20260417074056.6937-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: zQCowAAnfhEK5OFpCQnYDQ--.60278S2 X-Coremail-Antispam: 1UD129KBjvdXoWrtFW5CFW3Kr1UGryDJr1fZwb_yoWktFg_u3 9ruF1DG348GF1rZrnIy34fA3yYy3yavrW8uayDtasayF9rZryUZF1Ikryft3WUXa4fZF4D X393tryxAr10gjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb4AFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Ar0_tr1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j 6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUAVWUtwAv7VC2z280aVAFwI0_Gr0_Cr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY1x0262kKe7AKxVWU AVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14 v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkG c2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvEc7CjxVAFwI 0_Cr0_Gr1UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVW8JVWx JwCI42IY6I8E87Iv6xkF7I0E14v26r4UJVWxJrUvcSsGvfC2KfnxnUUI43ZEXa7VUjZNVP UUUUU== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" uml_vfio_user_get_group_id() builds the iommu_group sysfs path in a PATH_MAX buffer with sprintf() and an unvalidated device string. If the device component is long enough, the formatted path runs past the end of the heap buffer before readlink() is attempted. Use snprintf() and reject device strings whose formatted path does not fit in PATH_MAX. Fixes: a0e2cb6a9063 ("um: Add VFIO-based virtual PCI driver") Signed-off-by: Pengpeng Hou --- arch/um/drivers/vfio_user.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/um/drivers/vfio_user.c b/arch/um/drivers/vfio_user.c index 6a45d8e14582..5230e18b5b53 100644 --- a/arch/um/drivers/vfio_user.c +++ b/arch/um/drivers/vfio_user.c @@ -81,7 +81,12 @@ int uml_vfio_user_get_group_id(const char *device) if (!path) return -ENOMEM; =20 - sprintf(path, "/sys/bus/pci/devices/%s/iommu_group", device); + r =3D snprintf(path, PATH_MAX, "/sys/bus/pci/devices/%s/iommu_group", + device); + if (r >=3D PATH_MAX) { + r =3D -ENAMETOOLONG; + goto free_path; + } =20 buf =3D uml_kmalloc(PATH_MAX + 1, UM_GFP_KERNEL); if (!buf) { --=20 2.50.1 (Apple Git-155)