lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <tencent_E46183A88440D77C977DA6CBD37DC362A905@qq.com>
Date: Wed,  8 Oct 2025 15:53:07 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+093a8a8b859472e6c257@...kaller.appspotmail.com
Cc: iommu@...ts.linux.dev,
	jgg@...pe.ca,
	joro@...tes.org,
	kevin.tian@...el.com,
	linux-kernel@...r.kernel.org,
	robin.murphy@....com,
	syzkaller-bugs@...glegroups.com,
	will@...nel.org
Subject: [PATCH] iommufd: Prevent the use of nil data

The division exception occurs because:
The denominator bitmap->bitmap is 0, which is derived from the nil value
of bitmap->data passed in by the reproducer.

Before calling iova_bitmap_alloc() to allocate iter, add a check for a
null value in data to avoid the division exception.

syzbot reported:
divide error in iova_bitmap_alloc

Call Trace:
 <TASK>
 iommu_read_and_clear_dirty drivers/iommu/iommufd/io_pagetable.c:543 [inline]
 iopt_read_and_clear_dirty_data+0x271/0x4c0 drivers/iommu/iommufd/io_pagetable.c:603
 iommufd_hwpt_get_dirty_bitmap+0x1c3/0x340 drivers/iommu/iommufd/hw_pagetable.c:485

Reported-by: syzbot+093a8a8b859472e6c257@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=093a8a8b859472e6c257
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
 drivers/iommu/iommufd/io_pagetable.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/iommu/iommufd/io_pagetable.c b/drivers/iommu/iommufd/io_pagetable.c
index c0360c450880..9ddaed95e79f 100644
--- a/drivers/iommu/iommufd/io_pagetable.c
+++ b/drivers/iommu/iommufd/io_pagetable.c
@@ -540,6 +540,9 @@ iommu_read_and_clear_dirty(struct iommu_domain *domain,
 	if (!ops || !ops->read_and_clear_dirty)
 		return -EOPNOTSUPP;
 
+	if (!bitmap->data)
+		return -EINVAL;
+
 	iter = iova_bitmap_alloc(bitmap->iova, bitmap->length,
 				 bitmap->page_size,
 				 u64_to_user_ptr(bitmap->data));
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ