Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp837227yba;
        Wed, 24 Apr 2019 10:23:29 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyBhsH8GKe7/lbDFujPlwN0sUzHj7hjAAZgOx+rptyfNWkcYiDmrj539sun9TTc0/CfMiBF
X-Received: by 2002:aa7:9151:: with SMTP id 17mr33397345pfi.192.1556126609243;
        Wed, 24 Apr 2019 10:23:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556126609; cv=none;
        d=google.com; s=arc-20160816;
        b=HMtXBIkSj2cTavMxuUqVh6bjOY1xW19FvNyHuamF6Wkf4ALY9jUBItbgbvG1AkYkXq
         bvhlebu0LQ12EsyweDnliV/QmMsfOL28zp9Od75jOWHzyaqWrtRXGow1rYAT2NIo70b7
         xhl/LREsiJpoY4gQSLkXHpE6RyVCbu9y3c3TfQuWkb2gyWnTwoTcUvnvl2MoXZgOaf/2
         OYC6LDThsYvVc8RqGPEdiX24sJpUpgU8yUOWk5SuZ65137kXOrZi6dnODUpi/GutUsha
         W1/uD6D8N/1ey7K23eqwLP8SEugEbCQtV0jtP5nFbclcDXPY5KdWZdUy9uYCV1IWBNFz
         QEZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=vIS4ERsYIfQ/z25Sg3Hp7zalPuyzIhf53jRyAmvfLVI=;
        b=cw/BAjxW2lLMWK9kQRbbhb9iM5Bufx5Sw+9mpn8qXLLwkqdhDFSLsxcOo26suWthw2
         WCuBoDlYMvXSdDdhuIJDC6APZ8naSBUXtBM8lQ4mSy24xvSB201AfrETpcOImGXsNHVG
         9XRpWWu73UZIt+pmlP/oLijaPwLI8qvbUExcxO9HlVdSbZhylDSZCI1tsXtC1zxe8PaH
         lLx8y0ZpJbMgnHpC13N2Pa6SZIh0NoQe7vagtKVzI2E4WSVDy45fLhI962TY/5VeXXey
         6izBAPqKG4Xalctk1M5z8HL/2tegrbU9XVBARNTaQ3w+LkOEoqubVAVswAsTTCDb5Udc
         RYhA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=A1VLJReR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s7si7193824pgr.287.2019.04.24.10.23.13;
        Wed, 24 Apr 2019 10:23:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=A1VLJReR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389461AbfDXRVm (ORCPT <rfc822;luigi.mantellini.ml@gmail.com>
        + 99 others); Wed, 24 Apr 2019 13:21:42 -0400
Received: from mail.kernel.org ([198.145.29.99]:47120 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2389440AbfDXRVk (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Apr 2019 13:21:40 -0400
Received: from localhost (62-193-50-229.as16211.net [62.193.50.229])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 194EA205ED;
        Wed, 24 Apr 2019 17:21:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1556126499;
        bh=hI+vP8Kv7Hyx3mGyw30ZKvjKkqVQLhWmUuHA7v128MM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=A1VLJReR1DR37BMI5pN0qibTnWHFDKOWoHn4wdIuLOqO/wUS4iOwH23jx8P//8gdv
         kGSpFv9AD3/zC3Gu2VUDwW3m5fqkQ/iTbkgn4gR+IFJKpKPJUnDuKfu4ZJJTXRO9w3
         wOmMZIquyk+Quc4n5HvGLnZyZGwtOjKCmP3horAs=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Julia Cartwright <julia@ni.com>,
        Joerg Roedel <jroedel@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 129/168] iommu/dmar: Fix buffer overflow during PCI bus notification
Date:   Wed, 24 Apr 2019 19:09:33 +0200
Message-Id: <20190424170930.940302460@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190424170923.452349382@linuxfoundation.org>
References: <20190424170923.452349382@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ]

Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
device path") changed the type of the path data, however, the change in
path type was not reflected in size calculations.  Update to use the
correct type and prevent a buffer overflow.

This bug manifests in systems with deep PCI hierarchies, and can lead to
an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
or can lead to overflow of slab-allocated data.

   BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
   Write of size 1 at addr ffffffff90445d80 by task swapper/0/1
   CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W       4.14.87-rt49-02406-gd0a0e96 #1
   Call Trace:
    ? dump_stack+0x46/0x59
    ? print_address_description+0x1df/0x290
    ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
    ? kasan_report+0x256/0x340
    ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
    ? e820__memblock_setup+0xb0/0xb0
    ? dmar_dev_scope_init+0x424/0x48f
    ? __down_write_common+0x1ec/0x230
    ? dmar_dev_scope_init+0x48f/0x48f
    ? dmar_free_unused_resources+0x109/0x109
    ? cpumask_next+0x16/0x20
    ? __kmem_cache_create+0x392/0x430
    ? kmem_cache_create+0x135/0x2f0
    ? e820__memblock_setup+0xb0/0xb0
    ? intel_iommu_init+0x170/0x1848
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? migrate_enable+0x27a/0x5b0
    ? sched_setattr+0x20/0x20
    ? migrate_disable+0x1fc/0x380
    ? task_rq_lock+0x170/0x170
    ? try_to_run_init_process+0x40/0x40
    ? locks_remove_file+0x85/0x2f0
    ? dev_prepare_static_identity_mapping+0x78/0x78
    ? rt_spin_unlock+0x39/0x50
    ? lockref_put_or_lock+0x2a/0x40
    ? dput+0x128/0x2f0
    ? __rcu_read_unlock+0x66/0x80
    ? __fput+0x250/0x300
    ? __rcu_read_lock+0x1b/0x30
    ? mntput_no_expire+0x38/0x290
    ? e820__memblock_setup+0xb0/0xb0
    ? pci_iommu_init+0x25/0x63
    ? pci_iommu_init+0x25/0x63
    ? do_one_initcall+0x7e/0x1c0
    ? initcall_blacklisted+0x120/0x120
    ? kernel_init_freeable+0x27b/0x307
    ? rest_init+0xd0/0xd0
    ? kernel_init+0xf/0x120
    ? rest_init+0xd0/0xd0
    ? ret_from_fork+0x1f/0x40
   The buggy address belongs to the variable:
    dmar_pci_notify_info_buf+0x40/0x60

Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path")
Signed-off-by: Julia Cartwright <julia@ni.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/dmar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
index 5a63e32a4a6b..cbad1926cec1 100644
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -143,7 +143,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event)
 		for (tmp = dev; tmp; tmp = tmp->bus->self)
 			level++;
 
-	size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
+	size = sizeof(*info) + level * sizeof(info->path[0]);
 	if (size <= sizeof(dmar_pci_notify_info_buf)) {
 		info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf;
 	} else {
-- 
2.19.1