iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show

[ Upstream commit a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7 ]

In iommu_mmio_write(), it validates the user-provided offset with the
check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`.
This assumes a 4-byte access. However, the corresponding
show handler, iommu_mmio_show(), uses readq() to perform an 8-byte
(64-bit) read.

If a user provides an offset equal to `mmio_phys_end - 4`, the check
passes, and will lead to a 4-byte out-of-bounds read.

Fix this by adjusting the boundary check to use sizeof(u64), which
corresponds to the size of the readq() operation.

Fixes: 7a4ee419e8c1 ("iommu/amd: Add debugfs support to dump IOMMU MMIO registers")
Signed-off-by: Songtang Liu <liusongtang@bytedance.com>
Reviewed-by: Dheeraj Kumar Srivastava <dheerajkumar.srivastava@amd.com>
Tested-by: Dheeraj Kumar Srivastava <dheerajkumar.srivastava@amd.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
index 10fa217a711993657f216bcda60ff0715056b5b2..20b04996441d62273a8c17d9cc152e05045f1b62 100644 (file)
--- a/drivers/iommu/amd/debugfs.c
+++ b/drivers/iommu/amd/debugfs.c
@@ -37,7 +37,7 @@ static ssize_t iommu_mmio_write(struct file *filp, const char __user *ubuf,
        if (ret)
                return ret;
 
-       if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4) {
+       if (iommu->dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64)) {
                iommu->dbg_mmio_offset = -1;
                return  -EINVAL;
        }