[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20250804154023.work.970-kees@kernel.org>
Date: Mon, 4 Aug 2025 08:40:27 -0700
From: Kees Cook <kees@...nel.org>
To: Joerg Roedel <joro@...tes.org>
Cc: Kees Cook <kees@...nel.org>,
Simcha Kosman <simcha.kosman@...erark.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@....com>,
Will Deacon <will@...nel.org>,
Robin Murphy <robin.murphy@....com>,
iommu@...ts.linux.dev,
Gavrilov Ilia <Ilia.Gavrilov@...otecs.ru>,
Kim Phillips <kim.phillips@....com>,
linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: [PATCH RESEND] iommu/amd: Avoid stack buffer overflow from kernel cmdline
While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.
Reported-by: Simcha Kosman <simcha.kosman@...erark.com>
Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
Signed-off-by: Kees Cook <kees@...nel.org>
---
This was sent out before but it didn't end up on any public mailing list. My mistake!
Cc: Joerg Roedel <joro@...tes.org>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@....com>
Cc: Will Deacon <will@...nel.org>
Cc: Robin Murphy <robin.murphy@....com>
Cc: <iommu@...ts.linux.dev>
---
drivers/iommu/amd/init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index 7b5af6176de9..e11322d8d775 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3638,7 +3638,7 @@ static int __init parse_ivrs_acpihid(char *str)
{
u32 seg = 0, bus, dev, fn;
char *hid, *uid, *p, *addr;
- char acpiid[ACPIID_LEN] = {0};
+ char acpiid[ACPIID_LEN + 1] = { }; /* size with NUL terminator */
int i;
addr = strchr(str, '@');
@@ -3664,7 +3664,7 @@ static int __init parse_ivrs_acpihid(char *str)
/* We have the '@', make it the terminator to get just the acpiid */
*addr++ = 0;
- if (strlen(str) > ACPIID_LEN + 1)
+ if (strlen(str) > ACPIID_LEN)
goto not_found;
if (sscanf(str, "=%s", acpiid) != 1)
--
2.34.1
Powered by blists - more mailing lists