From: Eder Zulian <ezulian@redhat.com>
To: stable@vger.kernel.org
Cc: Eder Zulian <ezulian@redhat.com>, Joerg Roedel <joerg.roedel@amd.com>
Subject: [PATCH 6.18.y] iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
Date: Thu, 21 May 2026 16:54:01 +0200 [thread overview]
Message-ID: <20260521145401.316511-1-ezulian@redhat.com> (raw)
In-Reply-To: <2026052055-satirical-mousy-05cf@gregkh>
In iommu_mmio_write() and iommu_capability_write(),
iommu->dbg_mmio_offset and iommu->dbg_cap_offset are int. However, they
are populated using kstrtou32_from_user(). If a user provides a
sufficiently large value, it can become a negative integer.
Prior to this patch, the AMD IOMMU debugfs implementation was already
protected by different mechanisms.
1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so
e.g. 0xffffffff isn't a valid input.
if (cnt > OFS_IN_SZ)
return -EINVAL;
2. Implicit type promotion in iommu_mmio_write(), iommu->dbg_mmio_offset
is int and iommu->mmio_phys_end is u64
if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
return -EINVAL;
3. The show handlers would currently catch the negative number and
refuse to perform the read.
Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the
input, and check for negative values to explicitly prevent out-of-bounds
memory accesses directly in iommu_mmio_write() and
iommu_capability_write().
Signed-off-by: Eder Zulian <ezulian@redhat.com>
Fixes: 7a4ee419e8c1 ("iommu/amd: Add debugfs support to dump IOMMU MMIO registers")
Cc: stable@vger.kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
(cherry picked from commit 8dfd3d8d74435344ee8dc9237596959c8b2a6cbe)
---
drivers/iommu/amd/debugfs.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
index 20b04996441d..bb0c8552bc0f 100644
--- a/drivers/iommu/amd/debugfs.c
+++ b/drivers/iommu/amd/debugfs.c
@@ -33,11 +33,12 @@ static ssize_t iommu_mmio_write(struct file *filp, const char __user *ubuf,
if (cnt > OFS_IN_SZ)
return -EINVAL;
- ret = kstrtou32_from_user(ubuf, cnt, 0, &iommu->dbg_mmio_offset);
+ ret = kstrtos32_from_user(ubuf, cnt, 0, &iommu->dbg_mmio_offset);
if (ret)
return ret;
- if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64)) {
+ if (iommu->dbg_mmio_offset < 0 || iommu->dbg_mmio_offset >
+ iommu->mmio_phys_end - sizeof(u64)) {
iommu->dbg_mmio_offset = -1;
return -EINVAL;
}
@@ -74,12 +75,12 @@ static ssize_t iommu_capability_write(struct file *filp, const char __user *ubuf
if (cnt > OFS_IN_SZ)
return -EINVAL;
- ret = kstrtou32_from_user(ubuf, cnt, 0, &iommu->dbg_cap_offset);
+ ret = kstrtos32_from_user(ubuf, cnt, 0, &iommu->dbg_cap_offset);
if (ret)
return ret;
/* Capability register at offset 0x14 is the last IOMMU capability register. */
- if (iommu->dbg_cap_offset > 0x14) {
+ if (iommu->dbg_cap_offset < 0 || iommu->dbg_cap_offset > 0x14) {
iommu->dbg_cap_offset = -1;
return -EINVAL;
}
--
2.54.0
prev parent reply other threads:[~2026-05-21 14:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 14:41 FAILED: patch "[PATCH] iommu/amd: Remove latent out-of-bounds access in IOMMU" failed to apply to 6.18-stable tree gregkh
2026-05-21 14:54 ` Eder Zulian [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260521145401.316511-1-ezulian@redhat.com \
--to=ezulian@redhat.com \
--cc=joerg.roedel@amd.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox