| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bnwect65iw3jf44fszo6fm4fauyoextyk45pquxur23n25pmsx@owfja7cr2xzl>
Date: Tue, 4 Nov 2025 11:08:29 +0100
From: Jörg Rödel <joro@...tes.org>
To: Songtang Liu <liusongtang@...edance.com>
Cc: will@...nel.org, suravee.suthikulpanit@....com, robin.murphy@....com,
vasant.hegde@....com, dheerajkumar.srivastava@....com, iommu@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] iommu/amd: Fix potential out-of-bounds read in
iommu_mmio_show
On Thu, Oct 30, 2025 at 10:55:25PM -0700, Songtang Liu wrote:
> Changes in v2:
> - Add Reviewed-by and Tested-by tags from Dheeraj Kumar Srivastava
> ---
Git ignored everything below the above line for the commit message. Put the
changelog after the commit message next time.
>
> In iommu_mmio_write(), it validates the user-provided offset with the
> check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`.
> This assumes a 4-byte access. However, the corresponding
> show handler, iommu_mmio_show(), uses readq() to perform an 8-byte
> (64-bit) read.
>
> If a user provides an offset equal to `mmio_phys_end - 4`, the check
> passes, and will lead to a 4-byte out-of-bounds read.
>
> Fix this by adjusting the boundary check to use sizeof(u64), which
> corresponds to the size of the readq() operation.
>
> Fixes: 7a4ee419e8c1 ("iommu/amd: Add debugfs support to dump IOMMU
> MMIO registers")
> Signed-off-by: Songtang Liu <liusongtang@...edance.com>
> Reviewed-by: Dheeraj Kumar Srivastava <dheerajkumar.srivastava@....com>
> Tested-by: Dheeraj Kumar Srivastava <dheerajkumar.srivastava@....com>
> ---
> drivers/iommu/amd/debugfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied, but next time please use 'git send-email' to send patches. This one is
malformatted both in the commit message and in the patch itself.
>
> diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
> index 10fa217a71199..20b04996441d6 100644
> --- a/drivers/iommu/amd/debugfs.c
> +++ b/drivers/iommu/amd/debugfs.c
> @@ -37,7 +37,7 @@ static ssize_t iommu_mmio_write(struct file *filp,
> const char __user *ubuf,
Weird line-break.
> if (ret)
> return ret;
>
> - if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4) {
> + if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64)) {
> iommu->dbg_mmio_offset = -1;
> return -EINVAL;
> }
> --
> 2.39.5
Powered by blists - more mailing lists