From: Jason Gunthorpe <jgg@nvidia.com>
To: Kai Aizen <kai.aizen.dev@gmail.com>
Cc: kevin.tian@intel.com, nicolinc@nvidia.com, will@kernel.org,
robin.murphy@arm.com, joro@8bytes.org, iommu@lists.linux.dev,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
Date: Fri, 8 May 2026 20:37:11 -0300 [thread overview]
Message-ID: <20260508233711.GJ9254@nvidia.com> (raw)
In-Reply-To: <20260430175630.67078-1-kai.aizen.dev@gmail.com>
On Thu, Apr 30, 2026 at 08:56:30PM +0300, Kai Aizen wrote:
> The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
> path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
>
> if (!vevent_for_lost_events_header(cur) &&
> sizeof(hdr) + cur->data_len > count - done) {
>
> hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
> evaluates to the size of the pointer. Surrounding code uses
> sizeof(*hdr) consistently:
>
> if (done >= count || sizeof(*hdr) > count - done) {
> ...
> if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
> ...
> done += sizeof(*hdr);
>
> struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
> flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
> expressions happen to be equal and the check works as intended.
>
> On 32-bit (sizeof(void *) == 4) the check under-counts the header by
> 4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
> count - done while 4 + cur->data_len does not will pass the check,
> then the loop will copy_to_user 8 bytes of header followed by data_len
> bytes of payload, writing past the user-supplied buffer.
>
> It is also a latent bug for any future expansion of struct
> iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
> should not depend on the type happening to match the host pointer
> width.
>
> Use sizeof(*hdr) to match the rest of the function and the actual
> amount that will be copied.
>
> Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
> Cc: stable@vger.kernel.org
> Reported-by: Kai Aizen <kai.aizen.dev@gmail.com>
> Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
> ---
> v2: fix From/Signed-off-by to use real name and email address.
> ---
> drivers/iommu/iommufd/eventq.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied to for-rc, thanks
Jason
prev parent reply other threads:[~2026-05-08 23:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-30 17:56 [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Kai Aizen
2026-05-05 3:26 ` Baolu Lu
2026-05-05 3:45 ` Nicolin Chen
2026-05-08 8:17 ` Tian, Kevin
2026-05-08 23:37 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508233711.GJ9254@nvidia.com \
--to=jgg@nvidia.com \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=kai.aizen.dev@gmail.com \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nicolinc@nvidia.com \
--cc=robin.murphy@arm.com \
--cc=stable@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.