Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp895683yba; Thu, 18 Apr 2019 11:22:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqz2CJlXEdVMkj5R8KkB1MjWjI3n4oCZGHV7nthvy/Qc6G1QvyjDBWDRtlCFQPIHeL+NtMx5 X-Received: by 2002:a62:76c1:: with SMTP id r184mr94925767pfc.229.1555611746340; Thu, 18 Apr 2019 11:22:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555611746; cv=none; d=google.com; s=arc-20160816; b=KVymM0uttsOXSoDt5bKXuBntdGA42SCFYBKTYf/b6Ov/CVajHDfCJhPheB7VWtezam /L6ocoEY10qauJ1wGnNTYknzU5ibF7WyBAlCqtdWi+x4lsIYP9TKk1O0kGfEjltBVQ+X nEssO5FWR0R7nsy1LWq99mlLBE0JijSzikz0WpeUIFuLZkBmgwqDpmvDXsP09td0+nkZ gidBdu5f0d29hltxCkf82SZZ0BfVSNI4h1qkH2CXZmLYe88NKb/be4RtUaz0RjqwwBbs G/BcisfcsFE+7vZW6aTQipL186JvOo5Pt5e3Qbal2T3cAhpMhGj2fsdW4ytB9qi2OKK9 CM+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YL/hSLggDae0eWwrl9X57yRUvzujllL0OGDzrPk4m4g=; b=zECuJn4TpFNYsrBaCkr9AcYmFsds3Lj1fJMs4AAcGlE/dsF/Cvalb/jv1mjhRaYkHj PYEHEC7xLD3m8bOOV4R38+dzcFVqe738IjXEUGX55ishugkjLt/t7RuNj18J4HwidPMr tMFMQtLCfPek1oIRtSzLcPTC83ELwpaAfWVpOFMhG+nqWqb7wrRIIuWS7aJZZp6yqQ6F IJXJ5BlURxhkHwgqFNYcZ0J2VLQpZornyXpT3nbfV0lrulUMDPsFxV8Nu3VRdqM8KoNJ uw7RjGzVFzVj1XuY303LA3rFWMtq5OdY6tbu1ZUHUF4ROCrxvzUvIHUQ9/RTdDnoE8kY ujwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wyctsGJx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z6si2587368plo.372.2019.04.18.11.22.11; Thu, 18 Apr 2019 11:22:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wyctsGJx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403860AbfDRSUc (ORCPT + 99 others); Thu, 18 Apr 2019 14:20:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:39884 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403879AbfDRSIj (ORCPT ); Thu, 18 Apr 2019 14:08:39 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 92C1B2186A; Thu, 18 Apr 2019 18:08:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555610918; bh=HCcaOXthsoXLGltvkYc6PgPl3u3rQseNWOQE314GKLo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wyctsGJxZur4LEQiQv20rLoNfYahawE29DKbKCjni2pyAlOe8W/x7vdmo92J9iQvN O+/dMHy3zipGyRqTHQp+1XvHzZpWEW5JujmBSS2Z6QhmYEYibnAKm+TuyA0aUjMckV 7YHRNZqSoIE64Pq1zrKK8kWcHg2IIfn+LY97WP6M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julia Cartwright , Joerg Roedel , Sasha Levin Subject: [PATCH 4.9 41/50] iommu/dmar: Fix buffer overflow during PCI bus notification Date: Thu, 18 Apr 2019 19:57:52 +0200 Message-Id: <20190418160427.463606376@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190418160422.455656724@linuxfoundation.org> References: <20190418160422.455656724@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ] Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") changed the type of the path data, however, the change in path type was not reflected in size calculations. Update to use the correct type and prevent a buffer overflow. This bug manifests in systems with deep PCI hierarchies, and can lead to an overflow of the static allocated buffer (dmar_pci_notify_info_buf), or can lead to overflow of slab-allocated data. BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0 Write of size 1 at addr ffffffff90445d80 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1 Call Trace: ? dump_stack+0x46/0x59 ? print_address_description+0x1df/0x290 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? kasan_report+0x256/0x340 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? e820__memblock_setup+0xb0/0xb0 ? dmar_dev_scope_init+0x424/0x48f ? __down_write_common+0x1ec/0x230 ? dmar_dev_scope_init+0x48f/0x48f ? dmar_free_unused_resources+0x109/0x109 ? cpumask_next+0x16/0x20 ? __kmem_cache_create+0x392/0x430 ? kmem_cache_create+0x135/0x2f0 ? e820__memblock_setup+0xb0/0xb0 ? intel_iommu_init+0x170/0x1848 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? migrate_enable+0x27a/0x5b0 ? sched_setattr+0x20/0x20 ? migrate_disable+0x1fc/0x380 ? task_rq_lock+0x170/0x170 ? try_to_run_init_process+0x40/0x40 ? locks_remove_file+0x85/0x2f0 ? dev_prepare_static_identity_mapping+0x78/0x78 ? rt_spin_unlock+0x39/0x50 ? lockref_put_or_lock+0x2a/0x40 ? dput+0x128/0x2f0 ? __rcu_read_unlock+0x66/0x80 ? __fput+0x250/0x300 ? __rcu_read_lock+0x1b/0x30 ? mntput_no_expire+0x38/0x290 ? e820__memblock_setup+0xb0/0xb0 ? pci_iommu_init+0x25/0x63 ? pci_iommu_init+0x25/0x63 ? do_one_initcall+0x7e/0x1c0 ? initcall_blacklisted+0x120/0x120 ? kernel_init_freeable+0x27b/0x307 ? rest_init+0xd0/0xd0 ? kernel_init+0xf/0x120 ? rest_init+0xd0/0xd0 ? ret_from_fork+0x1f/0x40 The buggy address belongs to the variable: dmar_pci_notify_info_buf+0x40/0x60 Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") Signed-off-by: Julia Cartwright Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- drivers/iommu/dmar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c index 63110fbbb410..d51734e0c350 100644 --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -143,7 +143,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) for (tmp = dev; tmp; tmp = tmp->bus->self) level++; - size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); + size = sizeof(*info) + level * sizeof(info->path[0]); if (size <= sizeof(dmar_pci_notify_info_buf)) { info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; } else { -- 2.19.1