Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5e97dc74 authored by Gavrilov Ilia's avatar Gavrilov Ilia Committed by Greg Kroah-Hartman
Browse files

iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter 



[ Upstream commit b6b26d86c61c441144c72f842f7469bb686e1211 ]

The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
because the string specifier in the format string sscanf()
has no width limitation.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: ca3bf5d4 ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarIlia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: default avatarKim Phillips <kim.phillips@amd.com>
Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru


Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 774c63f5

drivers/iommu/amd_iommu_init.c

+15 −1
Original line number Diff line number Diff line
@@ -3049,15 +3049,26 @@ static int __init parse_ivrs_hpet(char *str) 
	return 1;

}



#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)



static int __init parse_ivrs_acpihid(char *str)

{

	u32 seg = 0, bus, dev, fn;

	char *hid, *uid, *p, *addr;

	char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};

	char acpiid[ACPIID_LEN] = {0};

	int i;



	addr = strchr(str, '@');

	if (!addr) {

		addr = strchr(str, '=');

		if (!addr)

			goto not_found;



		++addr;



		if (strlen(addr) > ACPIID_LEN)

			goto not_found;



		if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||

		    sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {

			pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
@@ -3070,6 +3081,9 @@ static int __init parse_ivrs_acpihid(char *str) 
	/* We have the '@', make it the terminator to get just the acpiid */

	*addr++ = 0;



	if (strlen(str) > ACPIID_LEN + 1)

		goto not_found;



	if (sscanf(str, "=%s", acpiid) != 1)

		goto not_found;