]>
Commit | Line | Data |
---|---|---|
38edc49d SLM |
1 | From bd75182688c19eafc1df7c5a5e2a3169b53c4baf Mon Sep 17 00:00:00 2001 |
2 | From: Julia Cartwright <julia@ni.com> | |
3 | Date: Wed, 20 Feb 2019 16:46:31 +0000 | |
4 | Subject: iommu/dmar: Fix buffer overflow during PCI bus notification | |
5 | ||
6 | [ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ] | |
7 | ||
8 | Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI | |
9 | device path") changed the type of the path data, however, the change in | |
10 | path type was not reflected in size calculations. Update to use the | |
11 | correct type and prevent a buffer overflow. | |
12 | ||
13 | This bug manifests in systems with deep PCI hierarchies, and can lead to | |
14 | an overflow of the static allocated buffer (dmar_pci_notify_info_buf), | |
15 | or can lead to overflow of slab-allocated data. | |
16 | ||
17 | BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0 | |
18 | Write of size 1 at addr ffffffff90445d80 by task swapper/0/1 | |
19 | CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1 | |
20 | Call Trace: | |
21 | ? dump_stack+0x46/0x59 | |
22 | ? print_address_description+0x1df/0x290 | |
23 | ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 | |
24 | ? kasan_report+0x256/0x340 | |
25 | ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 | |
26 | ? e820__memblock_setup+0xb0/0xb0 | |
27 | ? dmar_dev_scope_init+0x424/0x48f | |
28 | ? __down_write_common+0x1ec/0x230 | |
29 | ? dmar_dev_scope_init+0x48f/0x48f | |
30 | ? dmar_free_unused_resources+0x109/0x109 | |
31 | ? cpumask_next+0x16/0x20 | |
32 | ? __kmem_cache_create+0x392/0x430 | |
33 | ? kmem_cache_create+0x135/0x2f0 | |
34 | ? e820__memblock_setup+0xb0/0xb0 | |
35 | ? intel_iommu_init+0x170/0x1848 | |
36 | ? _raw_spin_unlock_irqrestore+0x32/0x60 | |
37 | ? migrate_enable+0x27a/0x5b0 | |
38 | ? sched_setattr+0x20/0x20 | |
39 | ? migrate_disable+0x1fc/0x380 | |
40 | ? task_rq_lock+0x170/0x170 | |
41 | ? try_to_run_init_process+0x40/0x40 | |
42 | ? locks_remove_file+0x85/0x2f0 | |
43 | ? dev_prepare_static_identity_mapping+0x78/0x78 | |
44 | ? rt_spin_unlock+0x39/0x50 | |
45 | ? lockref_put_or_lock+0x2a/0x40 | |
46 | ? dput+0x128/0x2f0 | |
47 | ? __rcu_read_unlock+0x66/0x80 | |
48 | ? __fput+0x250/0x300 | |
49 | ? __rcu_read_lock+0x1b/0x30 | |
50 | ? mntput_no_expire+0x38/0x290 | |
51 | ? e820__memblock_setup+0xb0/0xb0 | |
52 | ? pci_iommu_init+0x25/0x63 | |
53 | ? pci_iommu_init+0x25/0x63 | |
54 | ? do_one_initcall+0x7e/0x1c0 | |
55 | ? initcall_blacklisted+0x120/0x120 | |
56 | ? kernel_init_freeable+0x27b/0x307 | |
57 | ? rest_init+0xd0/0xd0 | |
58 | ? kernel_init+0xf/0x120 | |
59 | ? rest_init+0xd0/0xd0 | |
60 | ? ret_from_fork+0x1f/0x40 | |
61 | The buggy address belongs to the variable: | |
62 | dmar_pci_notify_info_buf+0x40/0x60 | |
63 | ||
64 | Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") | |
65 | Signed-off-by: Julia Cartwright <julia@ni.com> | |
66 | Signed-off-by: Joerg Roedel <jroedel@suse.de> | |
67 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
68 | --- | |
69 | drivers/iommu/dmar.c | 2 +- | |
70 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
71 | ||
72 | diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c | |
73 | index 5a63e32a4a6b..cbad1926cec1 100644 | |
74 | --- a/drivers/iommu/dmar.c | |
75 | +++ b/drivers/iommu/dmar.c | |
76 | @@ -143,7 +143,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) | |
77 | for (tmp = dev; tmp; tmp = tmp->bus->self) | |
78 | level++; | |
79 | ||
80 | - size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); | |
81 | + size = sizeof(*info) + level * sizeof(info->path[0]); | |
82 | if (size <= sizeof(dmar_pci_notify_info_buf)) { | |
83 | info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; | |
84 | } else { | |
85 | -- | |
86 | 2.19.1 | |
87 |