mirror of
https://github.com/torvalds/linux.git
synced 2026-05-27 08:33:17 +02:00
8dfd3d8d74
In iommu_mmio_write() and iommu_capability_write(), the variables
dbg_mmio_offset and dbg_cap_offset are declared as int. However, they
are populated using kstrtou32_from_user(). If a user provides a
sufficiently large value, it can become a negative integer.
Prior to this patch, the AMD IOMMU debugfs implementation was already
protected by different mechanisms.
1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so
e.g. 0xffffffff isn't a valid input.
if (cnt > OFS_IN_SZ)
return -EINVAL;
2. Implicit type promotion in iommu_mmio_write(), dbg_mmio_offset is int
and iommu->mmio_phys_end is u64
if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
return -EINVAL;
3. The show handlers would currently catch the negative number and
refuse to perform the read.
Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the
input, and check for negative values to explicitly prevent out-of-bounds
memory accesses directly in iommu_mmio_write() and
iommu_capability_write().
Signed-off-by: Eder Zulian <ezulian@redhat.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| amd_iommu_types.h | ||
| amd_iommu.h | ||
| debugfs.c | ||
| init.c | ||
| iommu.c | ||
| iommufd.c | ||
| iommufd.h | ||
| Kconfig | ||
| Makefile | ||
| nested.c | ||
| pasid.c | ||
| ppr.c | ||
| quirks.c | ||