torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code

iommu/amd: Avoid stack buffer overflow from kernel cmdline

Browse Source 
While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.

Reported-by: Simcha Kosman <simcha.kosman@cyberark.com>
Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
Fixes: b6b26d86c6 ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Ankit Soni <Ankit.Soni@amd.com>
Link: https://lore.kernel.org/r/20250804154023.work.970-kees@kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
This commit is contained in:
Kees Cook 2025-08-04 08:40:27 -07:00 committed by Joerg Roedel
parent 8f5ae30d69
commit 8503d0fcb1
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/iommu/amd/init.c
View File

@ -3638,7 +3638,7 @@ static int __init parse_ivrs_acpihid(char *str)
{ {
u32 seg = 0, bus, dev, fn; u32 seg = 0, bus, dev, fn;
char *hid, *uid, *p, *addr; char *hid, *uid, *p, *addr;
char acpiid[ACPIID_LEN] = {0}; char acpiid[ACPIID_LEN + 1] = { }; /* size with NULL terminator */
int i; int i;
addr = strchr(str, '@'); addr = strchr(str, '@');
@ -3664,7 +3664,7 @@ static int __init parse_ivrs_acpihid(char *str)
/* We have the '@', make it the terminator to get just the acpiid */ /* We have the '@', make it the terminator to get just the acpiid */
*addr++ = 0; *addr++ = 0;
if (strlen(str) > ACPIID_LEN + 1) if (strlen(str) > ACPIID_LEN)
goto not_found; goto not_found;
if (sscanf(str, "=%s", acpiid) != 1) if (sscanf(str, "=%s", acpiid) != 1)