torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code

iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter

Browse Source 
The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
because the string specifier in the format string sscanf()
has no width limitation.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: ca3bf5d47c ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Kim Phillips <kim.phillips@amd.com>
Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Joerg Roedel <jroedel@suse.de>
This commit is contained in:
Gavrilov Ilia 2023-02-02 08:26:56 +00:00 committed by Joerg Roedel
parent 05d227efbd
commit b6b26d86c6
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
drivers/iommu/amd/init.c
View File

@ -3475,15 +3475,26 @@ found:
return 1; return 1;
} }
#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)
static int __init parse_ivrs_acpihid(char *str) static int __init parse_ivrs_acpihid(char *str)
{ {
u32 seg = 0, bus, dev, fn; u32 seg = 0, bus, dev, fn;
char *hid, *uid, *p, *addr; char *hid, *uid, *p, *addr;
char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0}; char acpiid[ACPIID_LEN] = {0};
int i; int i;
addr = strchr(str, '@'); addr = strchr(str, '@');
if (!addr) { if (!addr) {
addr = strchr(str, '=');
if (!addr)
goto not_found;
++addr;
if (strlen(addr) > ACPIID_LEN)
goto not_found;
if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 || if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) { sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n", pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str)
/* We have the '@', make it the terminator to get just the acpiid */ /* We have the '@', make it the terminator to get just the acpiid */
*addr++ = 0; *addr++ = 0;
if (strlen(str) > ACPIID_LEN + 1)
goto not_found;
if (sscanf(str, "=%s", acpiid) != 1) if (sscanf(str, "=%s", acpiid) != 1)
goto not_found; goto not_found;