From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8451A29B228 for ; Thu, 30 Apr 2026 15:41:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563666; cv=none; b=INc1oMeF8JPPIiQ+9amtagfvbtN1zmAGmGBnsDG+A3BvqrCf9QjaMzPIfaYH+0Kf5eUtVynoBoDvYVaLg2Ju8PCZ89OcC5//Io+bn9kXB6u38QEKvfQ0YVe6BEA48vg080km5r2PS+sdj2rOIaRSoJkvG5z+lec53iyBpuWosyU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563666; c=relaxed/simple; bh=PiAnSonjJaWq5CiJY8X7CDckO8G53n6I27AbF9/GGe8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=NgtbRmWxT/TMUbpQE7m/pl96j20jD23G0Cf0lpHtMT6tIozOQY1Ar3HpJHZl3G+JaTIgjiKgmVWMY27IJIPCkdaVPusQSnvtO9qNLApcT7rgpPhfmr7nzDTK1+aek2ULULWAC+f1LaF+cdu9CVQRH0lK9cLIBQjZ3kmmdNbwg6I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OLmBbtJX; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OLmBbtJX" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-488ad135063so9997965e9.0 for ; Thu, 30 Apr 2026 08:41:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777563664; x=1778168464; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=f73giKg+NEaLkYLxy751gAAtXossjimz4mkZpQ+VXmM=; b=OLmBbtJXQJmctM8NpyUyEKkH8tsidif1FlSBu1E4vFHkgqtoj5Mub6QX+5wDDd9PwL Yns3rcvrDXN0NKLJRBuY6AjrIpWAviYbk7YuoBMm8im3QbMO3le0nDCLYuy4QoRu+lXM YGoj9/v6zIzj13IjlYSSTxCPB75aRaCNMVEBvrdYd/DPl+zc11KNwEW6Bj14NqlPs46x qTODPmKjPGJ+hc4ZM/naMIvENiH2w4RF7+38dcXSdEBS/EmgBabTe/woNGWvqM2czliC vosYrir5uGXhBUX0ELQlEfKZTsfpGR2FssEX22rb/10pysNZbmGt8o0tZo7t5UNeOB1W lP3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777563664; x=1778168464; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=f73giKg+NEaLkYLxy751gAAtXossjimz4mkZpQ+VXmM=; b=DaLmnMSXpyErmtoMEObjthN0PszWn1dRuI/GvSQWBJZSMMcHFbp5w/rPoQSh9jpjuG GnymgcjNzdGe6VsMRGOz1kI6WHpioW2IhV8el868scMDuXjzllh5CC2JjcS6GCsHzVV7 96w1pSub89tT/3ud7Z+GFeuoNTjgIMcGONhnIObGAyES2kDN3NlBuBMtFLrU8Ao95ThH cVI/ekFTe8n8GCLAvLDP4kg9G85N9TXt4vwKPTppp5hNzYpMk19fbGdR0LjWpM6otLS9 uQ8bbKuwEmXeEsvM9dqbgA2qGlCRJqI81kw8FfH3x7KEc+QPxnBTLxdnvyIZDrR+5nPi xe8A== X-Forwarded-Encrypted: i=1; AFNElJ/9xjxIfDLhF18Snl5vBCMEoVBZWU7XVgp+2bDJq0vnWqOoQD+zpltKsEqKhf4LKo2qG7h3a7cS7Myup3A=@vger.kernel.org X-Gm-Message-State: AOJu0Yyw8NgnTtVNJDzRLXWnLCRu7MZUlfn1dXLQaCQIoSDGhg2MyQGw pyukEL3/2WgD27hargo2Mh2HTNRTCS1uekAbTod6GYGCl+PxHR0GGwUl X-Gm-Gg: AeBDieteLuxDngYSHXBx1jwaVclCdFjtRajEQw97tK3+hcPFlxr4m+2/LJJVgE8zVkP ssSpEnz24WvP54ZYniUq9cD90JZh0D7SUrJrbAwuMBttAAVONOwjS1KVWjlx8GSUzCClM/rt2Tm nREEM95U0kvzyBkMPyHBrUFn6QZ3nzXzZmBwtwKljpam6HHsVMilnR/hxfNnmYgww/zQHKRCFuv aGR7leFgEqRz0zw7bo+5cDC4UxBEEcXQJa45Csfdn+xvM5JdGrihGmwMwQsylBMzyN9y0E3/dpD qVeeq162zIFkLTZaOaoTfnEZULh7G7q9cRt59pise84EuJur4Rj0O6u4R5FDNIO/+qq+AIQUGr+ VwAFno+zSXkpIP2Wq4neSmmaTXS5wm9wcIiTT71hiyUbyllh229wMziFzfgJhEI0qR1WLb97xWA v75V0AnDM/e2hAsNT6oZFJ7uaRH4E116Ux0GVFVG8ci+CQ6bUGkkit70jbI/seyGpuRRLNnBqMp CL9wviMx6wkiqor8QBXRTYMFbxXqTfGOryOyg== X-Received: by 2002:a05:600c:1387:b0:485:3f30:6250 with SMTP id 5b1f17b1804b1-48a84459c6bmr60002635e9.20.1777563663680; Thu, 30 Apr 2026 08:41:03 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:a0c9:1d35:8283:f96b]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a820c71c8sm118472015e9.4.2026.04.30.08.41.02 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:41:03 -0700 (PDT) From: "SnailSploit | Kai Aizen" X-Google-Original-From: SnailSploit | Kai Aizen <95986478+SnailSploit@users.noreply.github.com> To: jgg@nvidia.com Cc: kevin.tian@intel.com, nicolinc@nvidia.com, will@kernel.org, robin.murphy@arm.com, joro@8bytes.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com> Subject: [PATCH] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Date: Thu, 30 Apr 2026 18:41:00 +0300 Message-ID: <20260430154100.61604-1-95986478+SnailSploit@users.noreply.github.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com> The bound-check in iommufd_veventq_fops_read() for the normal vEVENT path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr): if (!vevent_for_lost_events_header(cur) && sizeof(hdr) + cur->data_len > count - done) { hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr) evaluates to the size of the pointer. Surrounding code uses sizeof(*hdr) consistently: if (done >= count || sizeof(*hdr) > count - done) { ... if (copy_to_user(buf + done, hdr, sizeof(*hdr))) { ... done += sizeof(*hdr); struct iommufd_vevent_header is currently 8 bytes (two __u32 fields, flags and sequence), so on 64-bit (sizeof(void *) == 8) the two expressions happen to be equal and the check works as intended. On 32-bit (sizeof(void *) == 4) the check under-counts the header by 4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed count - done while 4 + cur->data_len does not will pass the check, then the loop will copy_to_user 8 bytes of header followed by data_len bytes of payload, writing past the user-supplied buffer. It is also a latent bug for any future expansion of struct iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check should not depend on the type happening to match the host pointer width. Use sizeof(*hdr) to match the rest of the function and the actual amount that will be copied. Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC") Cc: stable@vger.kernel.org Signed-off-by: SnailSploit | Kai Aizen <95986478+SnailSploit@users.noreply.github.com> --- drivers/iommu/iommufd/eventq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c index 710eef0b6..78689fb52 100644 --- a/drivers/iommu/iommufd/eventq.c +++ b/drivers/iommu/iommufd/eventq.c @@ -321,7 +321,7 @@ static ssize_t iommufd_veventq_fops_read(struct file *filep, char __user *buf, /* If being a normal vEVENT, validate against the full size */ if (!vevent_for_lost_events_header(cur) && - sizeof(hdr) + cur->data_len > count - done) { + sizeof(*hdr) + cur->data_len > count - done) { iommufd_veventq_deliver_restore(veventq, cur); break; } -- 2.43.0