Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp2080179ybb; Fri, 29 Mar 2019 18:31:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqzBUm2SlcsVD2X+n87JoRn1ZcZgHKLqQW00yCTjsrxo1yAVCWHnwuCjOaH0Ix8k8NDoaajw X-Received: by 2002:a65:4108:: with SMTP id w8mr48696016pgp.236.1553909492776; Fri, 29 Mar 2019 18:31:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553909492; cv=none; d=google.com; s=arc-20160816; b=uGosoKq37fou5TwpYuSFETW3KdoaGpgw5XBY+PEeR6gHj7QBMZL8W8XdyD48Kp3G0n Wv4oSN2GHGw+Q//cIAeFIHZ8MAyvgTaL9YelYdp8CCpNdbZmxiGi16CfpmiDrL897kcW N4sjJTnVXiM0CByw+Omx4xu7s2pqCmSTH5Yi3Nv9hCPy0L2wPXSELNEb0dAaiFBYCGSh DWNUrWSLwJ6qbNE8Fxak9gRbiRxdPNoBPug8hcbwFx1FQEpcAZj/0kx4MxJo5IobHZrr //tzByqXLRpKTOrGbBMUSUZy0LuXXgjzkybn3GAb9MWksTcah6LvrmY7An25ClRHrPd1 EE1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=kpUxwKBCIM5Wo3plEZXxmitJfyb885TUz+Vvmgyh7Qw=; b=jP3PVf7/9+R4p0LJ0/nAjqu32uO0tvjvW8VczeMQUMGRYmFYlb+fC+K0ii7qYJH/Wq OrhFob4zOY5evGhdrMAMT4LKo+WIYe+CrsOnbfeXtAl/4ZKQrAnCsXllX19BpLVAlANt awAx5hn5kKOqiWkMkBEs49U9aydDtG+Pp3PPeGi12vg/usiTotUsvwXIoM7PS43b8Gac nu0stNpCh6kWjXvo9UBfF99lU12d+6vbHDuxjUBbw6ZRpwXKQbJGOf+Kqu3zZnkSxBBF PUd15sFDiAg7nAqHS2lRIbKJnZ6rTCXKGIpWs6e6135id4wu2zixS6z7Jcc4uTKDvR5Y jWNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="aa/ePOD6"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v12si3101644pfe.11.2019.03.29.18.31.17; Fri, 29 Mar 2019 18:31:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="aa/ePOD6"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731402AbfC3BaO (ORCPT + 99 others); Fri, 29 Mar 2019 21:30:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:37296 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731362AbfC3BaL (ORCPT ); Fri, 29 Mar 2019 21:30:11 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4BF92218A6; Sat, 30 Mar 2019 01:30:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553909411; bh=medsS/GthY0++x3BIRM1RDwZYj1gsre25PAdoQGCwio=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aa/ePOD6ZrOk7RlgIxCUlFiYxmzxQj/uNUIWsG1BnUg6YVcLTGnMPEQ8Qht9Gum4I Drev+q3biX+2gCa1dPmW7Zfj+11guWMruO1ek1i7wvbpucRi3uep473sdjQ9gWxHM0 I2bnenbTZFwIaCf3+K/5RANiEeYh//3tnTbCl5LA= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Julia Cartwright , Joerg Roedel , Sasha Levin , iommu@lists.linux-foundation.org Subject: [PATCH AUTOSEL 4.19 38/57] iommu/dmar: Fix buffer overflow during PCI bus notification Date: Fri, 29 Mar 2019 21:28:31 -0400 Message-Id: <20190330012854.32212-38-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190330012854.32212-1-sashal@kernel.org> References: <20190330012854.32212-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Julia Cartwright [ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ] Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") changed the type of the path data, however, the change in path type was not reflected in size calculations. Update to use the correct type and prevent a buffer overflow. This bug manifests in systems with deep PCI hierarchies, and can lead to an overflow of the static allocated buffer (dmar_pci_notify_info_buf), or can lead to overflow of slab-allocated data. BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0 Write of size 1 at addr ffffffff90445d80 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1 Call Trace: ? dump_stack+0x46/0x59 ? print_address_description+0x1df/0x290 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? kasan_report+0x256/0x340 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? e820__memblock_setup+0xb0/0xb0 ? dmar_dev_scope_init+0x424/0x48f ? __down_write_common+0x1ec/0x230 ? dmar_dev_scope_init+0x48f/0x48f ? dmar_free_unused_resources+0x109/0x109 ? cpumask_next+0x16/0x20 ? __kmem_cache_create+0x392/0x430 ? kmem_cache_create+0x135/0x2f0 ? e820__memblock_setup+0xb0/0xb0 ? intel_iommu_init+0x170/0x1848 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? migrate_enable+0x27a/0x5b0 ? sched_setattr+0x20/0x20 ? migrate_disable+0x1fc/0x380 ? task_rq_lock+0x170/0x170 ? try_to_run_init_process+0x40/0x40 ? locks_remove_file+0x85/0x2f0 ? dev_prepare_static_identity_mapping+0x78/0x78 ? rt_spin_unlock+0x39/0x50 ? lockref_put_or_lock+0x2a/0x40 ? dput+0x128/0x2f0 ? __rcu_read_unlock+0x66/0x80 ? __fput+0x250/0x300 ? __rcu_read_lock+0x1b/0x30 ? mntput_no_expire+0x38/0x290 ? e820__memblock_setup+0xb0/0xb0 ? pci_iommu_init+0x25/0x63 ? pci_iommu_init+0x25/0x63 ? do_one_initcall+0x7e/0x1c0 ? initcall_blacklisted+0x120/0x120 ? kernel_init_freeable+0x27b/0x307 ? rest_init+0xd0/0xd0 ? kernel_init+0xf/0x120 ? rest_init+0xd0/0xd0 ? ret_from_fork+0x1f/0x40 The buggy address belongs to the variable: dmar_pci_notify_info_buf+0x40/0x60 Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") Signed-off-by: Julia Cartwright Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- drivers/iommu/dmar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c index d9c748b6f9e4..7f9824b0609e 100644 --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) for (tmp = dev; tmp; tmp = tmp->bus->self) level++; - size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); + size = sizeof(*info) + level * sizeof(info->path[0]); if (size <= sizeof(dmar_pci_notify_info_buf)) { info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; } else { -- 2.19.1