From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0CAA2F6180 for ; Wed, 19 Nov 2025 10:49:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.14 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763549401; cv=none; b=hRs1BoV0gZ4DjNPjjT5/3EoPAc0wzLwjftVwGeqV6ZxymJ43cigAPJs1Qpt1nuHy2EPmrZIlZp2unlicGe0uOlvX2Ybz6OuGoILKA/hQcMTwfu409ywpkSKlrUg6Wc/oWdWc5OddmW9/6azaphaeYCajqS7KnjU99irURa6bBpM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763549401; c=relaxed/simple; bh=oHUD+WjxcMCiRJDalodSgGN+P+LC0csqxwW8yduklcY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Uaa2vrlz04lpg8oEf38jfWBJtZltsFK8KnG/1HVD8v/6m/eRnINQByI/YXieNZr0Hu61jiA4bKJVS26ImMy0DAxw9HdFc2dOLu47MOkmLXg+E6RUxPTaEBzTJTA+0U+zgtF8fRmZG/dQ6uNt5860u+KaAzpsnYGnKuOMeNS4L9E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=bQIcjB0q; arc=none smtp.client-ip=192.198.163.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="bQIcjB0q" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1763549399; x=1795085399; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=oHUD+WjxcMCiRJDalodSgGN+P+LC0csqxwW8yduklcY=; b=bQIcjB0qspCuJvE6alrM6d/C0e5hRsdKzUc+apuRmbHhct1q/FPPvUIf 6hqRVntA7s36Qp8G62Q7alYYKGPencM46QS4eB4IQhmaHsnQ6lgfwrYTW 3hnwIxUC1ELALcSBO4082eeyTBPKSgH+4o7wuOPspx5m/YpGSXENOlWr3 aZs1A4VQRWpm2/QtutMJbS8g1INn/220FnQYtylUy8Z8rsIBuPZuAN4LY eHfsVJw3HeSWLvC+PxMo2IxJHxcBleufQ9eGhBfBtfebcdnaRuGEYYJiL UYaQetA3hToOUm5NniD4QeIDaOZO9A+bWVD0JTt4ahxjYICt80Ttb4N0c w==; X-CSE-ConnectionGUID: AIKyMQqeTCu+MRe2vHDaew== X-CSE-MsgGUID: YPCXPwCHRUiMOGKyHwMK9g== X-IronPort-AV: E=McAfee;i="6800,10657,11617"; a="65626299" X-IronPort-AV: E=Sophos;i="6.19,315,1754982000"; d="scan'208";a="65626299" Received: from orviesa010.jf.intel.com ([10.64.159.150]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Nov 2025 02:49:58 -0800 X-CSE-ConnectionGUID: 2tmiODAISO2MV3Fk4mMaDA== X-CSE-MsgGUID: p5qNUnReRGGVBbkOGEbB+Q== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.19,315,1754982000"; d="scan'208";a="190292862" Received: from rvuia-mobl.ger.corp.intel.com (HELO localhost) ([10.245.245.245]) by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Nov 2025 02:49:57 -0800 Date: Wed, 19 Nov 2025 12:49:54 +0200 From: Andy Shevchenko To: Guixin Liu Cc: Bjorn Helgaas , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] PCI: Check rom header and data structure addr before accessing Message-ID: References: <20251119101116.74307-1-kanie@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20251119101116.74307-1-kanie@linux.alibaba.com> Organization: Intel Finland Oy - BIC 0357606-4 - c/o Alberga Business Park, 6 krs, Bertel Jungin Aukio 5, 02600 Espoo On Wed, Nov 19, 2025 at 06:11:16PM +0800, Guixin Liu wrote: Thanks for the update, my comments below. > We meet a crash when running stress-ng: > > BUG: unable to handle page fault for address: ffa0000007f40000 > RIP: 0010:pci_get_rom_size+0x52/0x220 > Call Trace: > > pci_map_rom+0x80/0x130 > pci_read_rom+0x4b/0xe0 > kernfs_file_read_iter+0x96/0x180 > vfs_read+0x1b1/0x300 > ksys_read+0x63/0xe0 > do_syscall_64+0x34/0x80 > entry_SYSCALL_64_after_hwframe+0x78/0xe2 You missed my comment on these lines. Have you read Submitting Patches documentation? > Our analysis reveals that the rom space's start address is > 0xffa0000007f30000, and size is 0x10000. Because of broken rom > space, before calling readl(pds), the pds's value is > 0xffa0000007f3ffff, which is already pointed to the rom space > end, invoking readl() would read 4 bytes therefore cause an > out-of-bounds access and trigger a crash. > > Fix this by adding image header and data structure checking. ... > static size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, > size_t size) > { > + void __iomem *end = rom + size; > void __iomem *image; > int last_image; > unsigned int length; > image = rom; > do { > void __iomem *pds; > + > + if (image + PCI_ROM_HEADER_SIZE >= end) > + break; > + > /* Standard PCI ROMs start out with these bytes 55 AA */ > if (readw(image) != 0xAA55) { > pci_info(pdev, "Invalid PCI ROM header signature: expecting 0xaa55, got %#06x\n", > readw(image)); > break; > } > + > /* get the PCI data structure and check its "PCIR" signature */ > pds = image + readw(image + 24); > + if (pds + PCI_ROM_DATA_STRUCT_SIZE >= end) > + break; > if (readl(pds) != 0x52494350) { > pci_info(pdev, "Invalid PCI ROM data signature: expecting 0x52494350, got %#010x\n", > readl(pds)); > last_image = readb(pds + 21) & 0x80; > length = readw(pds + 16); > image += length * 512; > + > /* Avoid iterating through memory outside the resource window */ > - if (image >= rom + size) > + if (image + PCI_ROM_HEADER_SIZE >= end) Theoretically this can overflow and become a false condition when should be true. Check overflow.h if they have some helpers for wraparound checks. So, first you need to validate the "end" and/or "size". image = rom; do { void __iomem *pds; if (size < PCI_ROM_HEADER_SIZE) break; ... size -= ... // not sure if we can change this variable, though } while (...); > break; > if (!last_image) { > if (readw(image) != 0xAA55) { -- With Best Regards, Andy Shevchenko