From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8841823C50A for ; Thu, 21 May 2026 14:54:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779375279; cv=none; b=B2VaLGo9TcTyPh+ZO+Rc+BaIxAoh2OeUP88x89HT/zePJ6Ix4KfoOu3Y4gs/5nmCiycRq8UXkKBF9OuYGbazStkn5fXT+2Vkufkjf8KxyF90ePZqeHrqfdd3BS/CcMWmlDs2xhHv/0XWd04zwA5uuC2mURcHouph1Pv/oWMphK0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779375279; c=relaxed/simple; bh=tNf+jQSIhtyKdNZJ3FdnxttmKjIwnuF19Qpw5/Zlfno=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hbRa9qYFIweeFhXTkb2Ry/axmzXCAGL7/k2NIp0GNtNKQFI/1IRDfysIDrqyre5exIZmN7ZGEIO/nekfGobtQ4s45YEK2KarJuzZvKrnxidoBsIOxOteGfDoPKXnAXTWpLvqbvQ7UjOgTrVlyWFvNL+Ptu3GEcTGJBkY5qDmXPo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=GB6r2D0u; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="GB6r2D0u" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1779375277; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YkpUKxYRq3JBmCsLVuUvlcRB20ZuCKg4fZnwr9v9arA=; b=GB6r2D0uDBOcDp+54uuIdkMjAwP9WAYQPgKWDMJJhiRDtu/CgkCXFluNabv3ugWGHgqj8X Yn7TlfiCgKlWVRj10DCKtZuUvC7nzO6Q3zNITGq383l8FMhAKHhPTZ1rTtKqrkTTyBhM9E lcWk52N99jBSUneibI5+EeAMwaP+bic= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-493-B5UuCS7_PzetmMcZEkJ2Dg-1; Thu, 21 May 2026 10:54:08 -0400 X-MC-Unique: B5UuCS7_PzetmMcZEkJ2Dg-1 X-Mimecast-MFC-AGG-ID: B5UuCS7_PzetmMcZEkJ2Dg_1779375247 Received: from mx-prod-int-10.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-10.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 163DB195608C; Thu, 21 May 2026 14:54:06 +0000 (UTC) Received: from ezulian-p1gen7.rmtde.csb (unknown [10.44.33.129]) by mx-prod-int-10.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id EB0971681; Thu, 21 May 2026 14:54:04 +0000 (UTC) From: Eder Zulian To: stable@vger.kernel.org Cc: Eder Zulian , Joerg Roedel Subject: [PATCH 6.18.y] iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs Date: Thu, 21 May 2026 16:54:01 +0200 Message-ID: <20260521145401.316511-1-ezulian@redhat.com> In-Reply-To: <2026052055-satirical-mousy-05cf@gregkh> References: <2026052055-satirical-mousy-05cf@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.6 on 10.30.177.95 In iommu_mmio_write() and iommu_capability_write(), iommu->dbg_mmio_offset and iommu->dbg_cap_offset are int. However, they are populated using kstrtou32_from_user(). If a user provides a sufficiently large value, it can become a negative integer. Prior to this patch, the AMD IOMMU debugfs implementation was already protected by different mechanisms. 1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so e.g. 0xffffffff isn't a valid input. if (cnt > OFS_IN_SZ) return -EINVAL; 2. Implicit type promotion in iommu_mmio_write(), iommu->dbg_mmio_offset is int and iommu->mmio_phys_end is u64 if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64)) return -EINVAL; 3. The show handlers would currently catch the negative number and refuse to perform the read. Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the input, and check for negative values to explicitly prevent out-of-bounds memory accesses directly in iommu_mmio_write() and iommu_capability_write(). Signed-off-by: Eder Zulian Fixes: 7a4ee419e8c1 ("iommu/amd: Add debugfs support to dump IOMMU MMIO registers") Cc: stable@vger.kernel.org Signed-off-by: Joerg Roedel (cherry picked from commit 8dfd3d8d74435344ee8dc9237596959c8b2a6cbe) --- drivers/iommu/amd/debugfs.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c index 20b04996441d..bb0c8552bc0f 100644 --- a/drivers/iommu/amd/debugfs.c +++ b/drivers/iommu/amd/debugfs.c @@ -33,11 +33,12 @@ static ssize_t iommu_mmio_write(struct file *filp, const char __user *ubuf, if (cnt > OFS_IN_SZ) return -EINVAL; - ret = kstrtou32_from_user(ubuf, cnt, 0, &iommu->dbg_mmio_offset); + ret = kstrtos32_from_user(ubuf, cnt, 0, &iommu->dbg_mmio_offset); if (ret) return ret; - if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64)) { + if (iommu->dbg_mmio_offset < 0 || iommu->dbg_mmio_offset > + iommu->mmio_phys_end - sizeof(u64)) { iommu->dbg_mmio_offset = -1; return -EINVAL; } @@ -74,12 +75,12 @@ static ssize_t iommu_capability_write(struct file *filp, const char __user *ubuf if (cnt > OFS_IN_SZ) return -EINVAL; - ret = kstrtou32_from_user(ubuf, cnt, 0, &iommu->dbg_cap_offset); + ret = kstrtos32_from_user(ubuf, cnt, 0, &iommu->dbg_cap_offset); if (ret) return ret; /* Capability register at offset 0x14 is the last IOMMU capability register. */ - if (iommu->dbg_cap_offset > 0x14) { + if (iommu->dbg_cap_offset < 0 || iommu->dbg_cap_offset > 0x14) { iommu->dbg_cap_offset = -1; return -EINVAL; } -- 2.54.0