git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Eder Zulian <ezulian@redhat.com>
	Fri, 10 Apr 2026 12:55:50 +0000 (14:55 +0200)
committer	Joerg Roedel <joerg.roedel@amd.com>
	Mon, 11 May 2026 07:52:54 +0000 (09:52 +0200)
commit	8dfd3d8d74435344ee8dc9237596959c8b2a6cbe
tree	c56f491b6b365e00ac9a19cb54ed8ef8b75fed06	tree \| snapshot
parent	5d6919055dec134de3c40167a490f33c74c12581	commit \| diff

iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs

In iommu_mmio_write() and iommu_capability_write(), the variables
dbg_mmio_offset and dbg_cap_offset are declared as int. However, they
are populated using kstrtou32_from_user(). If a user provides a
sufficiently large value, it can become a negative integer.

Prior to this patch, the AMD IOMMU debugfs implementation was already
protected by different mechanisms.

1. #define OFS_IN_SZ 8 ensures the user string <= 8 bytes, so
   e.g. 0xffffffff isn't a valid input.

  if (cnt > OFS_IN_SZ)
     return -EINVAL;

2. Implicit type promotion in iommu_mmio_write(), dbg_mmio_offset is int
   and iommu->mmio_phys_end is u64

  if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))
      return -EINVAL;

3. The show handlers would currently catch the negative number and
   refuse to perform the read.

Replace kstrtou32_from_user() with kstrtos32_from_user() to parse the
input, and check for negative values to explicitly prevent out-of-bounds
memory accesses directly in iommu_mmio_write() and
iommu_capability_write().

Signed-off-by: Eder Zulian <ezulian@redhat.com>
Fixes: 7a4ee419e8c1 ("iommu/amd: Add debugfs support to dump IOMMU MMIO registers")
Cc: stable@vger.kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>