Patch "iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 13 Mar 2023 22:18:52 -0400

This is a note to let you know that I've just added the patch titled

    iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommu-amd-add-a-length-limitation-for-the-ivrs_acpih.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f95bbac94d96e3d7999c616778397948e788d500
Author: Gavrilov Ilia <Ilia.Gavrilov@xxxxxxxxxxx>
Date:   Thu Feb 2 08:26:56 2023 +0000

    iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter
    
    [ Upstream commit b6b26d86c61c441144c72f842f7469bb686e1211 ]
    
    The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
    because the string specifier in the format string sscanf()
    has no width limitation.
    
    Found by InfoTeCS on behalf of Linux Verification Center
    (linuxtesting.org) with SVACE.
    
    Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@xxxxxxxxxxx>
    Reviewed-by: Kim Phillips <kim.phillips@xxxxxxx>
    Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@xxxxxxxxxxx
    Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index 6c11db3356f78..50ea582be5910 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3224,15 +3224,26 @@ static int __init parse_ivrs_hpet(char *str)
 	return 1;
 }
 
+#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)
+
 static int __init parse_ivrs_acpihid(char *str)
 {
 	u32 seg = 0, bus, dev, fn;
 	char *hid, *uid, *p, *addr;
-	char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};
+	char acpiid[ACPIID_LEN] = {0};
 	int i;
 
 	addr = strchr(str, '@');
 	if (!addr) {
+		addr = strchr(str, '=');
+		if (!addr)
+			goto not_found;
+
+		++addr;
+
+		if (strlen(addr) > ACPIID_LEN)
+			goto not_found;
+
 		if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
 		    sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
 			pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
@@ -3245,6 +3256,9 @@ static int __init parse_ivrs_acpihid(char *str)
 	/* We have the '@', make it the terminator to get just the acpiid */
 	*addr++ = 0;
 
+	if (strlen(str) > ACPIID_LEN + 1)
+		goto not_found;
+
 	if (sscanf(str, "=%s", acpiid) != 1)
 		goto not_found;
 






