From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80A8F47A0C3 for ; Thu, 30 Apr 2026 17:56:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571802; cv=none; b=Qpv79tItZ2BzWxrI1mhSU/GNWUOOEk41JGW/BORjDOOBGDV7eZb4KCPJAT+EP30uZB9X30dEPKdgHF6XMHjUFeWWFepvfN1tB6nq7BOpe2vzUkenMaBh547zRKSe1r+ymvUDe7UW5M1aIS+sK7gVqLEykB45UTYe/nnK3DFxEsE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777571802; c=relaxed/simple; bh=PgyIGO4QsM4KV1Du4VlHXHzQFCBNwgKqEe/8D4lHGK4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=pGovPQ8szuXH2lFwkSkwxLxy4jNZ4po/pV0mcxZ0awiTdzw4xudJMUs3DqglkhI3k7OajRVYjtp0EzDgred8GDc7qofOGDmwVb7GM1LtOA/1dkqIGT59ptf+5kkrERPqn22hPt/tRg7s5dm49kTzG3n7xnD/Et/bsSbiOVy1eZM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dccP4yoa; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dccP4yoa" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-488b0e1b870so20287335e9.2 for ; Thu, 30 Apr 2026 10:56:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777571799; x=1778176599; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=4ZnlNVGtRIcLKS9B1pTP87NWhA3Tq2w3mutdZXirEiQ=; b=dccP4yoaucWvn5FfFkZXCtM0K6pjyZeIqUhHCgkiJTfzLPC4s+/BolOyQQfLxX9ddF daRdSVCzUWBbzu7z+QX796NCzf4aTqbVhFx2TkvMwE1h+zMasqgY1JaPd9naBjxWlned Ept386p1Lh3SkhIUvF/Si8BaJuA3j3MvhcMxHYV1pb8PbzdJ/KbZz1jAoSWaG/qnwA6h JRvVcPYxmsl6V43KOOjPM+VA5p7wIgBj2uGOPD0p7HVdXF6wsabdHUTSUHL8faFKz0Nw NDwfbXoBxBdeOGvZx899DZj4pKDxfZlrTRO7WAaCQVn0YADBteXx1Gn+Fr1m/x7VPZlA cSwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777571799; x=1778176599; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4ZnlNVGtRIcLKS9B1pTP87NWhA3Tq2w3mutdZXirEiQ=; b=e96H2jEZOvibXnbWRaWhG4LNuulmFqEwzdS41tYR78fMmfhrWUaTTMyMRm5kZFIMmN 8BcZK97SrvyEvF2nNx/U5QMS83+BfL9ZR5eoq7ndo5XKTH3GDVsgh6sfPTUHqrCWY4r+ 3SLJJRM4BNsyW7JSciy4e9c0Z3pwhXDvz8DJNySzoTyiLt/7VJUf04Y6xBUfRJIW2rBi FXklZFLr+3nnW93UnNB4pvIbo9OjtDWne50K8cHZG7ul5pmS1mmE4rtnZMR1n+2K3Aol jJajL9DuJN2IzR99Np6BiAO35oh9Ik+LDBWMaCzQrgiC1XGPmmBbJri6ph7Ax0RA8xMI qvng== X-Forwarded-Encrypted: i=1; AFNElJ+7h9E0h0ByCdaHKlRhqZLr3Tm6oAS0yVjlZ49atehUeRBaInG15gBBX4vL9A5exxK6jXJPE/D9YSlYT+E=@vger.kernel.org X-Gm-Message-State: AOJu0Yw7gkQIo7L7wXWCaKtwVKHoqR9CsUqXWFuL0wS0Q3SIeqwCSYPj EYYEkPuFtbg4FpnTaPzcq3M6EHMvREgbFRwMi273hzGGf3RdYI5nrHxY X-Gm-Gg: AeBDietB3yfHhueFMit1lleRnEhLPKcnQ9q6g2fuYOuqz7pWQWQgJrctCDTnlmFRLav h7mB46vRRSDmhORJjmg+3k9KsYN+zy2u69U/AWHJstlkQ42oOtEkCZtEzinmYWmt30kG368aYQU Bln+BJTWL4RDPubTBkTg2b47T+44dNZkf2uM7qWsZ8B2HA2HvTjfwxAKwam/L7dnOqSsndjvsio zNUv6hm2hYn8STyKCLPT/PqfoPyXqE5+och5itdh37thRSe85cjyZVEnSJOdwaoNYHxt8n4l6Td SJ0BNJAcLZ1bV1UzRv0JnuWPoXC93gC6AZRxXWw1VY00xXwxBk52R6sAeomhZiqPS6FxEu6z5Ji h1Xrrj3y0em+gFX6d0Ena+4415820Yv1x2/RSDYYb/NoBew0aPhMR1rP+VSjGv3bGbazC28q3O0 iS2+9qyinnW5fYWYqFlTfQTrXu4d0Orz2QBrykC4gN5p6Yn2sOOMHD/U4MmNnRjpGNARcuiU1pu 4ct/i/aIJZVxPkkbqLQdz8PWy4/PaOocl4khmv+LghVTqba X-Received: by 2002:a05:600c:8b35:b0:485:4388:3492 with SMTP id 5b1f17b1804b1-48a84452dc3mr64100315e9.11.1777571798476; Thu, 30 Apr 2026 10:56:38 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:a0c9:1d35:8283:f96b]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a8d17269csm1143095e9.3.2026.04.30.10.56.36 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 10:56:38 -0700 (PDT) From: Kai Aizen To: jgg@nvidia.com Cc: kevin.tian@intel.com, nicolinc@nvidia.com, will@kernel.org, robin.murphy@arm.com, joro@8bytes.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Kai Aizen Subject: [PATCH v2] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read Date: Thu, 30 Apr 2026 20:56:30 +0300 Message-ID: <20260430175630.67078-1-kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The bound-check in iommufd_veventq_fops_read() for the normal vEVENT path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr): if (!vevent_for_lost_events_header(cur) && sizeof(hdr) + cur->data_len > count - done) { hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr) evaluates to the size of the pointer. Surrounding code uses sizeof(*hdr) consistently: if (done >= count || sizeof(*hdr) > count - done) { ... if (copy_to_user(buf + done, hdr, sizeof(*hdr))) { ... done += sizeof(*hdr); struct iommufd_vevent_header is currently 8 bytes (two __u32 fields, flags and sequence), so on 64-bit (sizeof(void *) == 8) the two expressions happen to be equal and the check works as intended. On 32-bit (sizeof(void *) == 4) the check under-counts the header by 4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed count - done while 4 + cur->data_len does not will pass the check, then the loop will copy_to_user 8 bytes of header followed by data_len bytes of payload, writing past the user-supplied buffer. It is also a latent bug for any future expansion of struct iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check should not depend on the type happening to match the host pointer width. Use sizeof(*hdr) to match the rest of the function and the actual amount that will be copied. Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC") Cc: stable@vger.kernel.org Reported-by: Kai Aizen Signed-off-by: Kai Aizen --- v2: fix From/Signed-off-by to use real name and email address. --- drivers/iommu/iommufd/eventq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c index 710eef0b6..78689fb52 100644 --- a/drivers/iommu/iommufd/eventq.c +++ b/drivers/iommu/iommufd/eventq.c @@ -321,7 +321,7 @@ static ssize_t iommufd_veventq_fops_read(struct file *filep, char __user *buf, /* If being a normal vEVENT, validate against the full size */ if (!vevent_for_lost_events_header(cur) && - sizeof(hdr) + cur->data_len > count - done) { + sizeof(*hdr) + cur->data_len > count - done) { iommufd_veventq_deliver_restore(veventq, cur); break; } -- 2.43.0