| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <nt5hjadzpif6sqoyj2cfpg3werd3pucfb3nys55fmeix6rcqso@hhmnso6csrn5>
Date: Tue, 12 Aug 2025 06:41:01 +0000
From: Ankit Soni <Ankit.Soni@....com>
To: Kees Cook <kees@...nel.org>
CC: Joerg Roedel <joro@...tes.org>, Simcha Kosman
<simcha.kosman@...erark.com>, Suravee Suthikulpanit
<suravee.suthikulpanit@....com>, Will Deacon <will@...nel.org>, Robin Murphy
<robin.murphy@....com>, <iommu@...ts.linux.dev>, Gavrilov Ilia
<Ilia.Gavrilov@...otecs.ru>, Kim Phillips <kim.phillips@....com>,
<linux-kernel@...r.kernel.org>, <linux-hardening@...r.kernel.org>
Subject: Re: [PATCH RESEND] iommu/amd: Avoid stack buffer overflow from
kernel cmdline
Hi,
On Mon, Aug 04, 2025 at 08:40:27AM -0700, Kees Cook wrote:
> While the kernel command line is considered trusted in most environments,
> avoid writing 1 byte past the end of "acpiid" if the "str" argument is
> maximum length.
>
> Reported-by: Simcha Kosman <simcha.kosman@...erark.com>
> Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
> Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
> Signed-off-by: Kees Cook <kees@...nel.org>
> ---
> This was sent out before but it didn't end up on any public mailing list. My mistake!
> Cc: Joerg Roedel <joro@...tes.org>
> Cc: Suravee Suthikulpanit <suravee.suthikulpanit@....com>
> Cc: Will Deacon <will@...nel.org>
> Cc: Robin Murphy <robin.murphy@....com>
> Cc: <iommu@...ts.linux.dev>
> ---
> drivers/iommu/amd/init.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
> index 7b5af6176de9..e11322d8d775 100644
> --- a/drivers/iommu/amd/init.c
> +++ b/drivers/iommu/amd/init.c
> @@ -3638,7 +3638,7 @@ static int __init parse_ivrs_acpihid(char *str)
> {
> u32 seg = 0, bus, dev, fn;
> char *hid, *uid, *p, *addr;
> - char acpiid[ACPIID_LEN] = {0};
> + char acpiid[ACPIID_LEN + 1] = { }; /* size with NUL terminator */
minor nits below,
s/NUL/NULL
and keeping "{0}" will be as per standard.
otherwise looks good!
Reviewed-by: Ankit Soni <Ankit.Soni@....com>
> int i;
>
> addr = strchr(str, '@');
> @@ -3664,7 +3664,7 @@ static int __init parse_ivrs_acpihid(char *str)
> /* We have the '@', make it the terminator to get just the acpiid */
> *addr++ = 0;
>
> - if (strlen(str) > ACPIID_LEN + 1)
> + if (strlen(str) > ACPIID_LEN)
> goto not_found;
>
> if (sscanf(str, "=%s", acpiid) != 1)
> --
> 2.34.1
>
Powered by blists - more mailing lists