* [PATCH] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
@ 2026-04-30 15:26 SnailSploit | Kai Aizen
2026-04-30 16:54 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: SnailSploit | Kai Aizen @ 2026-04-30 15:26 UTC (permalink / raw)
To: jgg
Cc: kevin.tian, nicolinc, will, robin.murphy, joro, iommu,
linux-kernel, stable, SnailSploit | Kai Aizen
From: "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com>
The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
if (!vevent_for_lost_events_header(cur) &&
sizeof(hdr) + cur->data_len > count - done) {
hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
evaluates to the size of the pointer. Surrounding code uses
sizeof(*hdr) consistently:
if (done >= count || sizeof(*hdr) > count - done) {
...
if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
...
done += sizeof(*hdr);
struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
expressions happen to be equal and the check works as intended.
On 32-bit (sizeof(void *) == 4) the check under-counts the header by
4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
count - done while 4 + cur->data_len does not will pass the check,
then the loop will copy_to_user 8 bytes of header followed by data_len
bytes of payload, writing past the user-supplied buffer.
It is also a latent bug for any future expansion of struct
iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
should not depend on the type happening to match the host pointer
width.
Use sizeof(*hdr) to match the rest of the function and the actual
amount that will be copied.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Cc: stable@vger.kernel.org
Signed-off-by: SnailSploit | Kai Aizen <95986478+SnailSploit@users.noreply.github.com>
---
drivers/iommu/iommufd/eventq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c
index 710eef0b6..78689fb52 100644
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -321,7 +321,7 @@ static ssize_t iommufd_veventq_fops_read(struct file *filep, char __user *buf,
/* If being a normal vEVENT, validate against the full size */
if (!vevent_for_lost_events_header(cur) &&
- sizeof(hdr) + cur->data_len > count - done) {
+ sizeof(*hdr) + cur->data_len > count - done) {
iommufd_veventq_deliver_restore(veventq, cur);
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
@ 2026-04-30 15:41 SnailSploit | Kai Aizen
2026-04-30 16:54 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: SnailSploit | Kai Aizen @ 2026-04-30 15:41 UTC (permalink / raw)
To: jgg
Cc: kevin.tian, nicolinc, will, robin.murphy, joro, iommu,
linux-kernel, stable, SnailSploit | Kai Aizen
From: "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com>
The bound-check in iommufd_veventq_fops_read() for the normal vEVENT
path uses sizeof(hdr) where the surrounding code uses sizeof(*hdr):
if (!vevent_for_lost_events_header(cur) &&
sizeof(hdr) + cur->data_len > count - done) {
hdr is declared as struct iommufd_vevent_header *, so sizeof(hdr)
evaluates to the size of the pointer. Surrounding code uses
sizeof(*hdr) consistently:
if (done >= count || sizeof(*hdr) > count - done) {
...
if (copy_to_user(buf + done, hdr, sizeof(*hdr))) {
...
done += sizeof(*hdr);
struct iommufd_vevent_header is currently 8 bytes (two __u32 fields,
flags and sequence), so on 64-bit (sizeof(void *) == 8) the two
expressions happen to be equal and the check works as intended.
On 32-bit (sizeof(void *) == 4) the check under-counts the header by
4 bytes: a vEVENT whose data_len causes 8 + cur->data_len to exceed
count - done while 4 + cur->data_len does not will pass the check,
then the loop will copy_to_user 8 bytes of header followed by data_len
bytes of payload, writing past the user-supplied buffer.
It is also a latent bug for any future expansion of struct
iommufd_vevent_header beyond sizeof(void *) on 64-bit; the check
should not depend on the type happening to match the host pointer
width.
Use sizeof(*hdr) to match the rest of the function and the actual
amount that will be copied.
Fixes: e36ba5ab808e ("iommufd: Add IOMMUFD_OBJ_VEVENTQ and IOMMUFD_CMD_VEVENTQ_ALLOC")
Cc: stable@vger.kernel.org
Signed-off-by: SnailSploit | Kai Aizen <95986478+SnailSploit@users.noreply.github.com>
---
drivers/iommu/iommufd/eventq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/eventq.c b/drivers/iommu/iommufd/eventq.c
index 710eef0b6..78689fb52 100644
--- a/drivers/iommu/iommufd/eventq.c
+++ b/drivers/iommu/iommufd/eventq.c
@@ -321,7 +321,7 @@ static ssize_t iommufd_veventq_fops_read(struct file *filep, char __user *buf,
/* If being a normal vEVENT, validate against the full size */
if (!vevent_for_lost_events_header(cur) &&
- sizeof(hdr) + cur->data_len > count - done) {
+ sizeof(*hdr) + cur->data_len > count - done) {
iommufd_veventq_deliver_restore(veventq, cur);
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
2026-04-30 15:41 [PATCH] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read SnailSploit | Kai Aizen
@ 2026-04-30 16:54 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2026-04-30 16:54 UTC (permalink / raw)
To: SnailSploit | Kai Aizen
Cc: jgg, kevin.tian, nicolinc, will, robin.murphy, joro, iommu,
linux-kernel, stable, SnailSploit | Kai Aizen
On Thu, Apr 30, 2026 at 06:41:00PM +0300, SnailSploit | Kai Aizen wrote:
> From: "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com>
Again, please use a real email address.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read
2026-04-30 15:26 SnailSploit | Kai Aizen
@ 2026-04-30 16:54 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2026-04-30 16:54 UTC (permalink / raw)
To: SnailSploit | Kai Aizen
Cc: jgg, kevin.tian, nicolinc, will, robin.murphy, joro, iommu,
linux-kernel, stable, SnailSploit | Kai Aizen
On Thu, Apr 30, 2026 at 06:26:58PM +0300, SnailSploit | Kai Aizen wrote:
> From: "SnailSploit | Kai Aizen" <95986478+SnailSploit@users.noreply.github.com>
Again, a valid email address please.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-30 16:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-30 15:41 [PATCH] iommufd: Use sizeof(*hdr) instead of sizeof(hdr) in veventq read SnailSploit | Kai Aizen
2026-04-30 16:54 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2026-04-30 15:26 SnailSploit | Kai Aizen
2026-04-30 16:54 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox