Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp2081592ybb; Fri, 29 Mar 2019 18:33:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqyaM3AuRFX6NUwgQimo5AjqWeNwllQgd5g+EV1O57TgABP3GVPTV4tHktzhvWDI+3FvWk7K X-Received: by 2002:a65:63c2:: with SMTP id n2mr12733364pgv.439.1553909634920; Fri, 29 Mar 2019 18:33:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553909634; cv=none; d=google.com; s=arc-20160816; b=SbXCKZ4WaYlOK64MKdCZbnjwbobLHcQuu4dkdW6EMUKKALbGglYTuWJGm8NqOpEIsJ fRZNnO3OaYXZLKrNacXI7YkL5wHx82DL1a5C7Jht5kyNaxJgzxvw7xs/i/BAphYLaQGV PISGY7UUZ3eIAMFzwzTtoOw/ZSojVJfRbySsPp/kbafAmKpmkFwih1Psj0ATH4wpGNxQ tyBJF/nQ7kSab05Pl5sYeiARdhqzp3TXXevs2qoS5kiq8DyW1qD9kdLFYL7vcttplQD1 LTDEJjxkjyS4MepYmf+rc12LbxqHQzWEnAXxcgsaRjU2QqQ8taTSfkc+Y9bs798NO0D5 zIdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=u6NUrqh/CCI8alujDgxTl5FckjJryeQAeAbCTIN/xDM=; b=HJpQMF82pRjhQ6ckNVDGB1RyfwrbjSHzDIqAjY7EG+6N5P1ibS94BB0MH7s8Yy8Nyp K7w3RUvjovNEW+UTzTb/GG+RGDMKveOuIBfDeo1iQQ06rK/23H2j34f/034lVJ5pFUYh kRdMNVXFee+AuVwudyejRS67KCUUsmw3bKcs1BOkUGq0X2Q+sntZy2V8PigQUGJg9H3K PhhEQKmLAIZNJLtWnidl17DhgvQj0Cx3K4DBJdhzLIusrmnD/UmKeDkPO7RTWKAa70CT v053VMoPSbDHqbfrPX7klT0jB6vm7jRSPihH/lY/itm9FT+c0rBq6BFZFmGblrECyxA6 Cehg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CzuAbFTq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d30si3364126pld.82.2019.03.29.18.33.39; Fri, 29 Mar 2019 18:33:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CzuAbFTq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730930AbfC3BbJ (ORCPT + 99 others); Fri, 29 Mar 2019 21:31:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:38446 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731853AbfC3BbF (ORCPT ); Fri, 29 Mar 2019 21:31:05 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9B1F82184C; Sat, 30 Mar 2019 01:31:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553909464; bh=o8ba5auq1/FGijTO/OG6lZ5FLpe3Rn0lyWOK/JzMsnk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CzuAbFTqc0j1iCV5YE+tcLJ0HZZac0xzjHr/Jsmhr2GEuCXUfHjrYWyUtQVmuGNPC gPYWlRJPnJku1tzWECUp1tvM18rm1+qihUAkCnd5CSiJQT0u51hFLqERHYhFfFiqi/ aq6CLfPAl+Q5dKMPnbfen6r66GTGKSFLx1A3XfbQ= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Julia Cartwright , Joerg Roedel , Sasha Levin , iommu@lists.linux-foundation.org Subject: [PATCH AUTOSEL 4.14 22/37] iommu/dmar: Fix buffer overflow during PCI bus notification Date: Fri, 29 Mar 2019 21:30:05 -0400 Message-Id: <20190330013020.379-22-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190330013020.379-1-sashal@kernel.org> References: <20190330013020.379-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Julia Cartwright [ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ] Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") changed the type of the path data, however, the change in path type was not reflected in size calculations. Update to use the correct type and prevent a buffer overflow. This bug manifests in systems with deep PCI hierarchies, and can lead to an overflow of the static allocated buffer (dmar_pci_notify_info_buf), or can lead to overflow of slab-allocated data. BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0 Write of size 1 at addr ffffffff90445d80 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1 Call Trace: ? dump_stack+0x46/0x59 ? print_address_description+0x1df/0x290 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? kasan_report+0x256/0x340 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? e820__memblock_setup+0xb0/0xb0 ? dmar_dev_scope_init+0x424/0x48f ? __down_write_common+0x1ec/0x230 ? dmar_dev_scope_init+0x48f/0x48f ? dmar_free_unused_resources+0x109/0x109 ? cpumask_next+0x16/0x20 ? __kmem_cache_create+0x392/0x430 ? kmem_cache_create+0x135/0x2f0 ? e820__memblock_setup+0xb0/0xb0 ? intel_iommu_init+0x170/0x1848 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? migrate_enable+0x27a/0x5b0 ? sched_setattr+0x20/0x20 ? migrate_disable+0x1fc/0x380 ? task_rq_lock+0x170/0x170 ? try_to_run_init_process+0x40/0x40 ? locks_remove_file+0x85/0x2f0 ? dev_prepare_static_identity_mapping+0x78/0x78 ? rt_spin_unlock+0x39/0x50 ? lockref_put_or_lock+0x2a/0x40 ? dput+0x128/0x2f0 ? __rcu_read_unlock+0x66/0x80 ? __fput+0x250/0x300 ? __rcu_read_lock+0x1b/0x30 ? mntput_no_expire+0x38/0x290 ? e820__memblock_setup+0xb0/0xb0 ? pci_iommu_init+0x25/0x63 ? pci_iommu_init+0x25/0x63 ? do_one_initcall+0x7e/0x1c0 ? initcall_blacklisted+0x120/0x120 ? kernel_init_freeable+0x27b/0x307 ? rest_init+0xd0/0xd0 ? kernel_init+0xf/0x120 ? rest_init+0xd0/0xd0 ? ret_from_fork+0x1f/0x40 The buggy address belongs to the variable: dmar_pci_notify_info_buf+0x40/0x60 Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") Signed-off-by: Julia Cartwright Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- drivers/iommu/dmar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c index c0d1c4db5794..38d0128b8135 100644 --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) for (tmp = dev; tmp; tmp = tmp->bus->self) level++; - size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); + size = sizeof(*info) + level * sizeof(info->path[0]); if (size <= sizeof(dmar_pci_notify_info_buf)) { info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; } else { -- 2.19.1