| From 9ce3adb2878fcef77afe322f5cf2e4f8ec7ad214 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 4 Aug 2025 08:40:27 -0700 |
| Subject: iommu/amd: Avoid stack buffer overflow from kernel cmdline |
| |
| From: Kees Cook <kees@kernel.org> |
| |
| [ Upstream commit 8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec ] |
| |
| While the kernel command line is considered trusted in most environments, |
| avoid writing 1 byte past the end of "acpiid" if the "str" argument is |
| maximum length. |
| |
| Reported-by: Simcha Kosman <simcha.kosman@cyberark.com> |
| Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM |
| Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter") |
| Signed-off-by: Kees Cook <kees@kernel.org> |
| Reviewed-by: Ankit Soni <Ankit.Soni@amd.com> |
| Link: https://lore.kernel.org/r/20250804154023.work.970-kees@kernel.org |
| Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/iommu/amd/init.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c |
| index bc78e8665551..23804270eda1 100644 |
| --- a/drivers/iommu/amd/init.c |
| +++ b/drivers/iommu/amd/init.c |
| @@ -3553,7 +3553,7 @@ static int __init parse_ivrs_acpihid(char *str) |
| { |
| u32 seg = 0, bus, dev, fn; |
| char *hid, *uid, *p, *addr; |
| - char acpiid[ACPIID_LEN] = {0}; |
| + char acpiid[ACPIID_LEN + 1] = { }; /* size with NULL terminator */ |
| int i; |
| |
| addr = strchr(str, '@'); |
| @@ -3579,7 +3579,7 @@ static int __init parse_ivrs_acpihid(char *str) |
| /* We have the '@', make it the terminator to get just the acpiid */ |
| *addr++ = 0; |
| |
| - if (strlen(str) > ACPIID_LEN + 1) |
| + if (strlen(str) > ACPIID_LEN) |
| goto not_found; |
| |
| if (sscanf(str, "=%s", acpiid) != 1) |
| -- |
| 2.50.1 |
| |
