diff options
| author | Eder Zulian <ezulian@redhat.com> | 2026-04-10 14:55:50 +0200 |
|---|---|---|
| committer | Joerg Roedel <joerg.roedel@amd.com> | 2026-05-11 09:52:54 +0200 |
| commit | 8dfd3d8d74435344ee8dc9237596959c8b2a6cbe (patch) | |
| tree | c56f491b6b365e00ac9a19cb54ed8ef8b75fed06 /tools/lib/python/feat | |
| parent | 5d6919055dec134de3c40167a490f33c74c12581 (diff) | |
| download | linux-8dfd3d8d74435344ee8dc9237596959c8b2a6cbe.tar.gz linux-8dfd3d8d74435344ee8dc9237596959c8b2a6cbe.zip | |
iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
In iommu_mmio_write() and iommu_capability_write(), the variables
dbg_mmio_offset and dbg_cap_offset are declared as int. However, they
are populated using kstrtou32_from_user(). If a user provides a
sufficiently large value, it can become a negative integer.
Prior to this patch, the AMD IOMMU debugfs implementation was already
protected by different mechanisms.
1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so
e.g. 0xffffffff isn't a valid input.
if (cnt > OFS_IN_SZ)
return -EINVAL;
2. Implicit type promotion in iommu_mmio_write(), dbg_mmio_offset is int
and iommu->mmio_phys_end is u64
if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
return -EINVAL;
3. The show handlers would currently catch the negative number and
refuse to perform the read.
Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the
input, and check for negative values to explicitly prevent out-of-bounds
memory accesses directly in iommu_mmio_write() and
iommu_capability_write().
Signed-off-by: Eder Zulian <ezulian@redhat.com>
Fixes: 7a4ee419e8c1 ("iommu/amd: Add debugfs support to dump IOMMU MMIO registers")
Cc: stable@vger.kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Diffstat (limited to 'tools/lib/python/feat')
0 files changed, 0 insertions, 0 deletions