[PATCH RESEND] iommu/amd: Avoid stack buffer overflow from kernel cmdline

[PATCH RESEND] iommu/amd: Avoid stack buffer overflow from kernel cmdline

[Kees Cook]

While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.

Reported-by: Simcha Kosman <simcha.kosman@cyberark.com>
Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
Signed-off-by: Kees Cook <kees@kernel.org>
---
This was sent out before but it didn't end up on any public mailing list. My mistake!
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: Will Deacon <will@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: <iommu@lists.linux.dev>
---
 drivers/iommu/amd/init.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index 7b5af6176de9..e11322d8d775 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3638,7 +3638,7 @@ static int __init parse_ivrs_acpihid(char *str)
 {
 	u32 seg = 0, bus, dev, fn;
 	char *hid, *uid, *p, *addr;
-	char acpiid[ACPIID_LEN] = {0};
+	char acpiid[ACPIID_LEN + 1] = { }; /* size with NUL terminator */
 	int i;
 
 	addr = strchr(str, '@');
@@ -3664,7 +3664,7 @@ static int __init parse_ivrs_acpihid(char *str)
 	/* We have the '@', make it the terminator to get just the acpiid */
 	*addr++ = 0;
 
-	if (strlen(str) > ACPIID_LEN + 1)
+	if (strlen(str) > ACPIID_LEN)
 		goto not_found;
 
 	if (sscanf(str, "=%s", acpiid) != 1)
-- 
2.34.1

Re: [PATCH RESEND] iommu/amd: Avoid stack buffer overflow from kernel cmdline

[Ankit Soni]

Hi,

On Mon, Aug 04, 2025 at 08:40:27AM -0700, Kees Cook wrote:
> While the kernel command line is considered trusted in most environments,
> avoid writing 1 byte past the end of "acpiid" if the "str" argument is
> maximum length.
> 
> Reported-by: Simcha Kosman <simcha.kosman@cyberark.com>
> Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
> Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> This was sent out before but it didn't end up on any public mailing list. My mistake!
> Cc: Joerg Roedel <joro@8bytes.org>
> Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
> Cc: Will Deacon <will@kernel.org>
> Cc: Robin Murphy <robin.murphy@arm.com>
> Cc: <iommu@lists.linux.dev>
> ---
>  drivers/iommu/amd/init.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
> index 7b5af6176de9..e11322d8d775 100644
> --- a/drivers/iommu/amd/init.c
> +++ b/drivers/iommu/amd/init.c
> @@ -3638,7 +3638,7 @@ static int __init parse_ivrs_acpihid(char *str)
>  {
>  	u32 seg = 0, bus, dev, fn;
>  	char *hid, *uid, *p, *addr;
> -	char acpiid[ACPIID_LEN] = {0};
> +	char acpiid[ACPIID_LEN + 1] = { }; /* size with NUL terminator */

minor nits below,

s/NUL/NULL
and keeping "{0}" will be as per standard.

otherwise looks good!
Reviewed-by: Ankit Soni <Ankit.Soni@amd.com>

>  	int i;
>  
>  	addr = strchr(str, '@');
> @@ -3664,7 +3664,7 @@ static int __init parse_ivrs_acpihid(char *str)
>  	/* We have the '@', make it the terminator to get just the acpiid */
>  	*addr++ = 0;
>  
> -	if (strlen(str) > ACPIID_LEN + 1)
> +	if (strlen(str) > ACPIID_LEN)
>  		goto not_found;
>  
>  	if (sscanf(str, "=%s", acpiid) != 1)
> -- 
> 2.34.1
> 

Re: [PATCH RESEND] iommu/amd: Avoid stack buffer overflow from kernel cmdline

[Joerg Roedel]

On Mon, Aug 04, 2025 at 08:40:27AM -0700, Kees Cook wrote:
>  drivers/iommu/amd/init.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Applied for -rc, thanks Kees.