From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Julia Cartwright <julia@ni.com>, Joerg Roedel <jroedel@suse.de>, Sasha Levin <sashal@kernel.org>, iommu@lists.linux-foundation.org Subject: [PATCH AUTOSEL 4.19 38/57] iommu/dmar: Fix buffer overflow during PCI bus notification Date: Fri, 29 Mar 2019 21:28:31 -0400 [thread overview] Message-ID: <20190330012854.32212-38-sashal@kernel.org> (raw) In-Reply-To: <20190330012854.32212-1-sashal@kernel.org> From: Julia Cartwright <julia@ni.com> [ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ] Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") changed the type of the path data, however, the change in path type was not reflected in size calculations. Update to use the correct type and prevent a buffer overflow. This bug manifests in systems with deep PCI hierarchies, and can lead to an overflow of the static allocated buffer (dmar_pci_notify_info_buf), or can lead to overflow of slab-allocated data. BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0 Write of size 1 at addr ffffffff90445d80 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1 Call Trace: ? dump_stack+0x46/0x59 ? print_address_description+0x1df/0x290 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? kasan_report+0x256/0x340 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? e820__memblock_setup+0xb0/0xb0 ? dmar_dev_scope_init+0x424/0x48f ? __down_write_common+0x1ec/0x230 ? dmar_dev_scope_init+0x48f/0x48f ? dmar_free_unused_resources+0x109/0x109 ? cpumask_next+0x16/0x20 ? __kmem_cache_create+0x392/0x430 ? kmem_cache_create+0x135/0x2f0 ? e820__memblock_setup+0xb0/0xb0 ? intel_iommu_init+0x170/0x1848 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? migrate_enable+0x27a/0x5b0 ? sched_setattr+0x20/0x20 ? migrate_disable+0x1fc/0x380 ? task_rq_lock+0x170/0x170 ? try_to_run_init_process+0x40/0x40 ? locks_remove_file+0x85/0x2f0 ? dev_prepare_static_identity_mapping+0x78/0x78 ? rt_spin_unlock+0x39/0x50 ? lockref_put_or_lock+0x2a/0x40 ? dput+0x128/0x2f0 ? __rcu_read_unlock+0x66/0x80 ? __fput+0x250/0x300 ? __rcu_read_lock+0x1b/0x30 ? mntput_no_expire+0x38/0x290 ? e820__memblock_setup+0xb0/0xb0 ? pci_iommu_init+0x25/0x63 ? pci_iommu_init+0x25/0x63 ? do_one_initcall+0x7e/0x1c0 ? initcall_blacklisted+0x120/0x120 ? kernel_init_freeable+0x27b/0x307 ? rest_init+0xd0/0xd0 ? kernel_init+0xf/0x120 ? rest_init+0xd0/0xd0 ? ret_from_fork+0x1f/0x40 The buggy address belongs to the variable: dmar_pci_notify_info_buf+0x40/0x60 Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") Signed-off-by: Julia Cartwright <julia@ni.com> Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/iommu/dmar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c index d9c748b6f9e4..7f9824b0609e 100644 --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) for (tmp = dev; tmp; tmp = tmp->bus->self) level++; - size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); + size = sizeof(*info) + level * sizeof(info->path[0]); if (size <= sizeof(dmar_pci_notify_info_buf)) { info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; } else { -- 2.19.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> To: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Cc: Sasha Levin <sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>, iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Joerg Roedel <jroedel-l3A5Bk7waGM@public.gmane.org>, Julia Cartwright <julia-acOepvfBmUk@public.gmane.org> Subject: [PATCH AUTOSEL 4.19 38/57] iommu/dmar: Fix buffer overflow during PCI bus notification Date: Fri, 29 Mar 2019 21:28:31 -0400 [thread overview] Message-ID: <20190330012854.32212-38-sashal@kernel.org> (raw) In-Reply-To: <20190330012854.32212-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> From: Julia Cartwright <julia-acOepvfBmUk@public.gmane.org> [ Upstream commit cffaaf0c816238c45cd2d06913476c83eb50f682 ] Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") changed the type of the path data, however, the change in path type was not reflected in size calculations. Update to use the correct type and prevent a buffer overflow. This bug manifests in systems with deep PCI hierarchies, and can lead to an overflow of the static allocated buffer (dmar_pci_notify_info_buf), or can lead to overflow of slab-allocated data. BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0 Write of size 1 at addr ffffffff90445d80 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1 Call Trace: ? dump_stack+0x46/0x59 ? print_address_description+0x1df/0x290 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? kasan_report+0x256/0x340 ? dmar_alloc_pci_notify_info+0x1d5/0x2e0 ? e820__memblock_setup+0xb0/0xb0 ? dmar_dev_scope_init+0x424/0x48f ? __down_write_common+0x1ec/0x230 ? dmar_dev_scope_init+0x48f/0x48f ? dmar_free_unused_resources+0x109/0x109 ? cpumask_next+0x16/0x20 ? __kmem_cache_create+0x392/0x430 ? kmem_cache_create+0x135/0x2f0 ? e820__memblock_setup+0xb0/0xb0 ? intel_iommu_init+0x170/0x1848 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? migrate_enable+0x27a/0x5b0 ? sched_setattr+0x20/0x20 ? migrate_disable+0x1fc/0x380 ? task_rq_lock+0x170/0x170 ? try_to_run_init_process+0x40/0x40 ? locks_remove_file+0x85/0x2f0 ? dev_prepare_static_identity_mapping+0x78/0x78 ? rt_spin_unlock+0x39/0x50 ? lockref_put_or_lock+0x2a/0x40 ? dput+0x128/0x2f0 ? __rcu_read_unlock+0x66/0x80 ? __fput+0x250/0x300 ? __rcu_read_lock+0x1b/0x30 ? mntput_no_expire+0x38/0x290 ? e820__memblock_setup+0xb0/0xb0 ? pci_iommu_init+0x25/0x63 ? pci_iommu_init+0x25/0x63 ? do_one_initcall+0x7e/0x1c0 ? initcall_blacklisted+0x120/0x120 ? kernel_init_freeable+0x27b/0x307 ? rest_init+0xd0/0xd0 ? kernel_init+0xf/0x120 ? rest_init+0xd0/0xd0 ? ret_from_fork+0x1f/0x40 The buggy address belongs to the variable: dmar_pci_notify_info_buf+0x40/0x60 Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path") Signed-off-by: Julia Cartwright <julia-acOepvfBmUk@public.gmane.org> Signed-off-by: Joerg Roedel <jroedel-l3A5Bk7waGM@public.gmane.org> Signed-off-by: Sasha Levin <sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> --- drivers/iommu/dmar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c index d9c748b6f9e4..7f9824b0609e 100644 --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) for (tmp = dev; tmp; tmp = tmp->bus->self) level++; - size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); + size = sizeof(*info) + level * sizeof(info->path[0]); if (size <= sizeof(dmar_pci_notify_info_buf)) { info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; } else { -- 2.19.1
next prev parent reply other threads:[~2019-03-30 1:38 UTC|newest] Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-30 1:27 [PATCH AUTOSEL 4.19 01/57] drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up Sasha Levin 2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 02/57] gpio: pxa: handle corner case of unprobed device Sasha Levin 2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 03/57] rsi: improve kernel thread handling to fix kernel panic Sasha Levin 2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 04/57] f2fs: fix to avoid NULL pointer dereference on se->discard_map Sasha Levin 2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 05/57] 9p: do not trust pdu content for stat item size Sasha Levin 2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 06/57] 9p locks: add mount option for lock retry interval Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 07/57] ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx() Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 08/57] f2fs: fix to do sanity check with current segment number Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 09/57] netfilter: xt_cgroup: shrink size of v2 path Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 10/57] serial: uartps: console_setup() can't be placed to init section Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 11/57] powerpc/pseries: Remove prrn_work workqueue Sasha Levin 2019-03-30 1:28 ` Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 12/57] media: au0828: cannot kfree dev before usb disconnect Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 13/57] Bluetooth: Fix debugfs NULL pointer dereference Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 14/57] HID: i2c-hid: override HID descriptors for certain devices Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 15/57] pinctrl: core: make sure strcmp() doesn't get a null parameter Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 16/57] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 17/57] usbip: fix vhci_hcd controller counting Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 18/57] ACPI / SBS: Fix GPE storm on recent MacBookPro's Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 19/57] HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2 Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 20/57] KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 21/57] compiler.h: update definition of unreachable() Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 22/57] netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 23/57] f2fs: cleanup dirty pages if recover failed Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 24/57] net: stmmac: Set OWN bit for jumbo frames Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 25/57] cifs: fallback to older infolevels on findfirst queryinfo retry Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 26/57] kernel: hung_task.c: disable on suspend Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 27/57] platform/x86: Add Intel AtomISP2 dummy / power-management driver Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 28/57] nvme-pci: fix conflicting p2p resource adds Sasha Levin 2019-03-30 1:28 ` Sasha Levin 2019-04-01 17:36 ` Heitke, Kenneth 2019-04-01 17:36 ` Heitke, Kenneth 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 29/57] drm/ttm: Fix bo_global and mem_global kfree error Sasha Levin 2019-03-30 1:28 ` Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 30/57] ALSA: hda: fix front speakers on Huawei MBXP Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 31/57] ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 32/57] net/rds: fix warn in rds_message_alloc_sgs Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 33/57] blk-mq: protect debugfs_create_files() from failures Sasha Levin 2019-03-30 5:43 ` Greg Kroah-Hartman 2019-04-03 16:17 ` Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 34/57] xfrm: destroy xfrm_state synchronously on net exit path Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 35/57] crypto: sha256/arm - fix crash bug in Thumb2 build Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 36/57] crypto: sha512/arm " Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 37/57] net: ip6_gre: fix possible NULL pointer dereference in ip6erspan_set_version Sasha Levin 2019-03-30 1:28 ` Sasha Levin [this message] 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 38/57] iommu/dmar: Fix buffer overflow during PCI bus notification Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 39/57] scsi: core: Avoid that system resume triggers a kernel warning Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 40/57] kvm: properly check debugfs dentry before using it Sasha Levin 2019-03-30 5:43 ` Greg Kroah-Hartman 2019-04-03 16:16 ` Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 41/57] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered() Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 42/57] ext4: prohibit fstrim in norecovery mode Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 43/57] lkdtm: Print real addresses Sasha Levin 2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 44/57] lkdtm: Add tests for NULL pointer dereference Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190330012854.32212-38-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=iommu@lists.linux-foundation.org \ --cc=jroedel@suse.de \ --cc=julia@ni.com \ --cc=linux-kernel@vger.kernel.org \ --cc=stable@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.