Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp878237yba;
        Thu, 18 Apr 2019 11:05:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwNrgLPJn9Vb8WuxTYPlAKi+nLYT3+nMgxamDPvvkzzqWbmxBnvUNg2uXt/oqgw9zpuR0pO
X-Received: by 2002:aa7:85d9:: with SMTP id z25mr97433300pfn.31.1555610707379;
        Thu, 18 Apr 2019 11:05:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555610707; cv=none;
        d=google.com; s=arc-20160816;
        b=O0ETU7WOC+UzyxkJcKbpb7ggrFANpnM51YhX398o37QCgBbX7GkV1plKAQUNzkVG2W
         CxQyD9o7rTY8ymug6uRbSD7VzAjlMyt5hvAX4Z6hK3h31lRemb/6qSJQc6EXvohqzqFu
         Ej1kmeCD1usVXshH8Y1Vh55j6Hjo8xtQGqTyEajEksVuFhfyg0hdBo96VMjUvvwK/nwS
         IgMxfpRp9li46xr31/bs/hCDBNKmLUvLSp5jIPsCLN7PNndtb70GwKeHgVUgVfbC2+57
         +kHaQEs7ivRbyKpDulPhN2HrVfKKLYzCfep+FaeLm8X6LZWUb+VPAxYtyj7zBEn+AzGC
         lyYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=b3+aMWsZIb96aZXYCT00YHvy7BHIykNHyTz1dPvpSwk=;
        b=OTDYjNWpKXCdBZmKsvMuuH51kop4rXbKMPWAqPQPTFXtlVjiA1w1H0Su28zmF35KTM
         seUOGZDRm7V2rL6gCmxxZBzCGwrWbLUdVIF2ZSO0cGpVFm8A2ytViDHH3mG1+6cWOYU9
         oltk0ROnel1coHhIcbT8zHnpgkC9auCnKdEyQsRdKcRON/x+pvS/vt/Z7RZc87VHTsMe
         Zs1JglsH/hlwTAUuaFsH1bTT/5A7rMcaR6LeurXCvyWtwtCRhCRQVay6l3n9qkev/SYu
         m3+jvoQod9WlrtQ3nafPRG6aWI4wYR9D+404wFkVGb8QIVvl7MIr05GroPr1EzG0ukip
         3e6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="gf0BJJ/j";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f11si2702908plo.169.2019.04.18.11.04.52;
        Thu, 18 Apr 2019 11:05:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="gf0BJJ/j";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390844AbfDRSC5 (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Thu, 18 Apr 2019 14:02:57 -0400
Received: from mail.kernel.org ([198.145.29.99]:59262 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2390831AbfDRSCx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Apr 2019 14:02:53 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6AD21206B6;
        Thu, 18 Apr 2019 18:02:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1555610572;
        bh=4qIowbeOCH5yQ03ezDB60BGrun1FSPzNZEDk9WyO/ro=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=gf0BJJ/juAExKNAwsOTn5zVN08K3Qn4nmtiSkYpW3AIsoIs/H9ztHR0CJAfQhGR9p
         HJqrXRBDLYCfS71M1NeXMXafQU4+ZtNNKwD/RI7arbja5s3tkv5CEi3xZlzaGgzyXW
         WNN1qdEQbMzbIvyjqNnnhE2jhugWdxmDpuXm8Vv0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Julia Cartwright <julia@ni.com>,
        Joerg Roedel <jroedel@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 088/110] iommu/dmar: Fix buffer overflow during PCI bus notification
Date:   Thu, 18 Apr 2019 19:57:17 +0200
Message-Id: <20190418160446.324894309@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190418160437.484158340@linuxfoundation.org>
References: <20190418160437.484158340@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ]

Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
device path") changed the type of the path data, however, the change in
path type was not reflected in size calculations.  Update to use the
correct type and prevent a buffer overflow.

This bug manifests in systems with deep PCI hierarchies, and can lead to
an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
or can lead to overflow of slab-allocated data.

   BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
   Write of size 1 at addr ffffffff90445d80 by task swapper/0/1
   CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W       4.14.87-rt49-02406-gd0a0e96 #1
   Call Trace:
    ? dump_stack+0x46/0x59
    ? print_address_description+0x1df/0x290
    ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
    ? kasan_report+0x256/0x340
    ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
    ? e820__memblock_setup+0xb0/0xb0
    ? dmar_dev_scope_init+0x424/0x48f
    ? __down_write_common+0x1ec/0x230
    ? dmar_dev_scope_init+0x48f/0x48f
    ? dmar_free_unused_resources+0x109/0x109
    ? cpumask_next+0x16/0x20
    ? __kmem_cache_create+0x392/0x430
    ? kmem_cache_create+0x135/0x2f0
    ? e820__memblock_setup+0xb0/0xb0
    ? intel_iommu_init+0x170/0x1848
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? migrate_enable+0x27a/0x5b0
    ? sched_setattr+0x20/0x20
    ? migrate_disable+0x1fc/0x380
    ? task_rq_lock+0x170/0x170
    ? try_to_run_init_process+0x40/0x40
    ? locks_remove_file+0x85/0x2f0
    ? dev_prepare_static_identity_mapping+0x78/0x78
    ? rt_spin_unlock+0x39/0x50
    ? lockref_put_or_lock+0x2a/0x40
    ? dput+0x128/0x2f0
    ? __rcu_read_unlock+0x66/0x80
    ? __fput+0x250/0x300
    ? __rcu_read_lock+0x1b/0x30
    ? mntput_no_expire+0x38/0x290
    ? e820__memblock_setup+0xb0/0xb0
    ? pci_iommu_init+0x25/0x63
    ? pci_iommu_init+0x25/0x63
    ? do_one_initcall+0x7e/0x1c0
    ? initcall_blacklisted+0x120/0x120
    ? kernel_init_freeable+0x27b/0x307
    ? rest_init+0xd0/0xd0
    ? kernel_init+0xf/0x120
    ? rest_init+0xd0/0xd0
    ? ret_from_fork+0x1f/0x40
   The buggy address belongs to the variable:
    dmar_pci_notify_info_buf+0x40/0x60

Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path")
Signed-off-by: Julia Cartwright <julia@ni.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/dmar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
index d9c748b6f9e4..7f9824b0609e 100644
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event)
 		for (tmp = dev; tmp; tmp = tmp->bus->self)
 			level++;
 
-	size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
+	size = sizeof(*info) + level * sizeof(info->path[0]);
 	if (size <= sizeof(dmar_pci_notify_info_buf)) {
 		info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf;
 	} else {
-- 
2.19.1