Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp129637ybm; Tue, 26 May 2020 12:30:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwvKrmVMgkceeMMxz8Lq6ikwC8G4v04GwLKT/iG4EmFxrh94Nti+4q/eNlebM5ZUngZcyF0 X-Received: by 2002:a17:906:9493:: with SMTP id t19mr2370483ejx.461.1590521442888; Tue, 26 May 2020 12:30:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590521442; cv=none; d=google.com; s=arc-20160816; b=toAWf4m08Qw7jaAbEHHXK9guPkk4YhV6C3oU1F36fcdRBI2OLXBEvnLH3l2iwLdT/4 4QApf74gZ23ckX0Ic4+TWmR8Tiuxr/pBDRMaAkv3Ox9XwmxUJWVJHDvyUVUsu2J1HkjJ mLy0pcBezDx7Eg4lFPtx2Ax9Wtd8cLmMywrCveFGn8qsNx7Xnvs1Aeg25w5y1hPAgdZ6 vSmy/C2/Oi0O+3oFtPK+6nzwfOtANOHWEjKq1AmeisNvKe9Pz2bcl2uetxYeQlUNWg31 doFOa3mrjrE3p2GaxW3EiHD8LtIc3W/U6n+7ATZEstNrwlLCk3WbH9eB3cc81E5AFJZn Rd7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=43m1L19Qv4JMEJctHKDFO5Os6I7VsP5NwBtBkcB9srs=; b=A05So6Iz4KZpMhGJBys11sMixDLaGXFFyzRnl7zLL6VXu3sSdy8vLyg00w+KopjoQa Td2dXBPHgVZsTw5wARM/703dHgoqqWHKJpVdXZAX3Hectnl2D85+RV7rWonStlEHMCkg gBLd5IRtiIfJJ6cjVxfVAFuxhdBHB1NZOkzgd99i+hEys4zFH7uXU7eWjWFqO0AtJVUo sEEdBQIFsVnxKgyKVLgovtykfd2RqpXMnVibUf7u5VKBVWTVcivE38IFSi5BCPKf+g1I PCoenZ0Bc/D+08F8VcD84sqoxOX02wleYkslwoT5BpkDBFkshAaC0kjTQjLqc4qpnDqi e1Yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uygF6mnm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id la5si443226ejb.229.2020.05.26.12.30.19; Tue, 26 May 2020 12:30:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uygF6mnm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391329AbgEZTEK (ORCPT + 99 others); Tue, 26 May 2020 15:04:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:59594 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391321AbgEZTEG (ORCPT ); Tue, 26 May 2020 15:04:06 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DA3C6208B3; Tue, 26 May 2020 19:04:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590519845; bh=iOAwMRBSlHy9XiMQy0/QkkEIEB2ri9V80CPULmrxMVo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uygF6mnmu44+2LXYNRceyW+TN36NBtQTgyvjz0SOBjvv77JxjDDUDg7jDJ9VzW1zQ 6118+ll/58SGgEifAKaHw5Jhhx49jrBkeliDy9wkg/PXPVLrieXxfXPfJb0Oni8nFZ Epiap2+T8yvheLW5zodJnSntRk5XEYpO9Lb8rDEU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Monakov , Joerg Roedel , iommu@lists.linux-foundation.org, Joerg Roedel , Sasha Levin Subject: [PATCH 4.19 12/81] iommu/amd: Fix over-read of ACPI UID from IVRS table Date: Tue, 26 May 2020 20:52:47 +0200 Message-Id: <20200526183927.467526457@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200526183923.108515292@linuxfoundation.org> References: <20200526183923.108515292@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexander Monakov [ Upstream commit e461b8c991b9202b007ea2059d953e264240b0c9 ] IVRS parsing code always tries to read 255 bytes from memory when retrieving ACPI device path, and makes an assumption that firmware provides a zero-terminated string. Both of those are bugs: the entry is likely to be shorter than 255 bytes, and zero-termination is not guaranteed. With Acer SF314-42 firmware these issues manifest visibly in dmesg: AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR0\xf0\xa5, rdevid:160 AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR1\xf0\xa5, rdevid:160 AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR2\xf0\xa5, rdevid:160 AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR3>\x83e\x8d\x9a\xd1... The first three lines show how the code over-reads adjacent table entries into the UID, and in the last line it even reads garbage data beyond the end of the IVRS table itself. Since each entry has the length of the UID (uidl member of ivhd_entry struct), use that for memcpy, and manually add a zero terminator. Avoid zero-filling hid and uid arrays up front, and instead ensure the uid array is always zero-terminated. No change needed for the hid array, as it was already properly zero-terminated. Fixes: 2a0cb4e2d423c ("iommu/amd: Add new map for storing IVHD dev entry type HID") Signed-off-by: Alexander Monakov Cc: Joerg Roedel Cc: iommu@lists.linux-foundation.org Link: https://lore.kernel.org/r/20200511102352.1831-1-amonakov@ispras.ru Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- drivers/iommu/amd_iommu_init.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c index 2557ed112bc2..c7d0bb3b4a30 100644 --- a/drivers/iommu/amd_iommu_init.c +++ b/drivers/iommu/amd_iommu_init.c @@ -1334,8 +1334,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu, } case IVHD_DEV_ACPI_HID: { u16 devid; - u8 hid[ACPIHID_HID_LEN] = {0}; - u8 uid[ACPIHID_UID_LEN] = {0}; + u8 hid[ACPIHID_HID_LEN]; + u8 uid[ACPIHID_UID_LEN]; int ret; if (h->type != 0x40) { @@ -1352,6 +1352,7 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu, break; } + uid[0] = '\0'; switch (e->uidf) { case UID_NOT_PRESENT: @@ -1366,8 +1367,8 @@ static int __init init_iommu_from_acpi(struct amd_iommu *iommu, break; case UID_IS_CHARACTER: - memcpy(uid, (u8 *)(&e->uid), ACPIHID_UID_LEN - 1); - uid[ACPIHID_UID_LEN - 1] = '\0'; + memcpy(uid, &e->uid, e->uidl); + uid[e->uidl] = '\0'; break; default: -- 2.25.1