queue-4.9/iommu-dmar-fix-buffer-overflow-during-pci-bus-notifi.patch

   1 From d16fdf746a9e61070ce5dc64c78b9e447e046167 Mon Sep 17 00:00:00 2001
   2 From: Julia Cartwright <julia@ni.com>
   3 Date: Wed, 20 Feb 2019 16:46:31 +0000
   4 Subject: iommu/dmar: Fix buffer overflow during PCI bus notification
   5
   6 [ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ]
   7
   8 Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
   9 device path") changed the type of the path data, however, the change in
  10 path type was not reflected in size calculations.  Update to use the
  11 correct type and prevent a buffer overflow.
  12
  13 This bug manifests in systems with deep PCI hierarchies, and can lead to
  14 an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
  15 or can lead to overflow of slab-allocated data.
  16
  17    BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
  18    Write of size 1 at addr ffffffff90445d80 by task swapper/0/1
  19    CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W       4.14.87-rt49-02406-gd0a0e96 #1
  20    Call Trace:
  21     ? dump_stack+0x46/0x59
  22     ? print_address_description+0x1df/0x290
  23     ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
  24     ? kasan_report+0x256/0x340
  25     ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
  26     ? e820__memblock_setup+0xb0/0xb0
  27     ? dmar_dev_scope_init+0x424/0x48f
  28     ? __down_write_common+0x1ec/0x230
  29     ? dmar_dev_scope_init+0x48f/0x48f
  30     ? dmar_free_unused_resources+0x109/0x109
  31     ? cpumask_next+0x16/0x20
  32     ? __kmem_cache_create+0x392/0x430
  33     ? kmem_cache_create+0x135/0x2f0
  34     ? e820__memblock_setup+0xb0/0xb0
  35     ? intel_iommu_init+0x170/0x1848
  36     ? _raw_spin_unlock_irqrestore+0x32/0x60
  37     ? migrate_enable+0x27a/0x5b0
  38     ? sched_setattr+0x20/0x20
  39     ? migrate_disable+0x1fc/0x380
  40     ? task_rq_lock+0x170/0x170
  41     ? try_to_run_init_process+0x40/0x40
  42     ? locks_remove_file+0x85/0x2f0
  43     ? dev_prepare_static_identity_mapping+0x78/0x78
  44     ? rt_spin_unlock+0x39/0x50
  45     ? lockref_put_or_lock+0x2a/0x40
  46     ? dput+0x128/0x2f0
  47     ? __rcu_read_unlock+0x66/0x80
  48     ? __fput+0x250/0x300
  49     ? __rcu_read_lock+0x1b/0x30
  50     ? mntput_no_expire+0x38/0x290
  51     ? e820__memblock_setup+0xb0/0xb0
  52     ? pci_iommu_init+0x25/0x63
  53     ? pci_iommu_init+0x25/0x63
  54     ? do_one_initcall+0x7e/0x1c0
  55     ? initcall_blacklisted+0x120/0x120
  56     ? kernel_init_freeable+0x27b/0x307
  57     ? rest_init+0xd0/0xd0
  58     ? kernel_init+0xf/0x120
  59     ? rest_init+0xd0/0xd0
  60     ? ret_from_fork+0x1f/0x40
  61    The buggy address belongs to the variable:
  62     dmar_pci_notify_info_buf+0x40/0x60
  63
  64 Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path")
  65 Signed-off-by: Julia Cartwright <julia@ni.com>
  66 Signed-off-by: Joerg Roedel <jroedel@suse.de>
  67 Signed-off-by: Sasha Levin <sashal@kernel.org>
  68 ---
  69  drivers/iommu/dmar.c | 2 +-
  70  1 file changed, 1 insertion(+), 1 deletion(-)
  71
  72 diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
  73 index 63110fbbb410..d51734e0c350 100644
  74 --- a/drivers/iommu/dmar.c
  75 +++ b/drivers/iommu/dmar.c
  76 @@ -143,7 +143,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event)
  77                 for (tmp = dev; tmp; tmp = tmp->bus->self)
  78                         level++;
  79
  80 -       size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
  81 +       size = sizeof(*info) + level * sizeof(info->path[0]);
  82         if (size <= sizeof(dmar_pci_notify_info_buf)) {
  83                 info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf;
  84         } else {
  85 --
  86 2.19.1
  87