iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cffaaf0c81
linux/drivers/iommu
History
Julia Cartwright cffaaf0c81 iommu/dmar: Fix buffer overflow during PCI bus notification 
Commit 57384592c4 ("iommu/vt-d: Store bus information in RMRR PCI
device path") changed the type of the path data, however, the change in
path type was not reflected in size calculations.  Update to use the
correct type and prevent a buffer overflow.

This bug manifests in systems with deep PCI hierarchies, and can lead to
an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
or can lead to overflow of slab-allocated data.

   BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
   Write of size 1 at addr ffffffff90445d80 by task swapper/0/1
   CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W       4.14.87-rt49-02406-gd0a0e96 #1
   Call Trace:
    ? dump_stack+0x46/0x59
    ? print_address_description+0x1df/0x290
    ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
    ? kasan_report+0x256/0x340
    ? dmar_alloc_pci_notify_info+0x1d5/0x2e0
    ? e820__memblock_setup+0xb0/0xb0
    ? dmar_dev_scope_init+0x424/0x48f
    ? __down_write_common+0x1ec/0x230
    ? dmar_dev_scope_init+0x48f/0x48f
    ? dmar_free_unused_resources+0x109/0x109
    ? cpumask_next+0x16/0x20
    ? __kmem_cache_create+0x392/0x430
    ? kmem_cache_create+0x135/0x2f0
    ? e820__memblock_setup+0xb0/0xb0
    ? intel_iommu_init+0x170/0x1848
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? migrate_enable+0x27a/0x5b0
    ? sched_setattr+0x20/0x20
    ? migrate_disable+0x1fc/0x380
    ? task_rq_lock+0x170/0x170
    ? try_to_run_init_process+0x40/0x40
    ? locks_remove_file+0x85/0x2f0
    ? dev_prepare_static_identity_mapping+0x78/0x78
    ? rt_spin_unlock+0x39/0x50
    ? lockref_put_or_lock+0x2a/0x40
    ? dput+0x128/0x2f0
    ? __rcu_read_unlock+0x66/0x80
    ? __fput+0x250/0x300
    ? __rcu_read_lock+0x1b/0x30
    ? mntput_no_expire+0x38/0x290
    ? e820__memblock_setup+0xb0/0xb0
    ? pci_iommu_init+0x25/0x63
    ? pci_iommu_init+0x25/0x63
    ? do_one_initcall+0x7e/0x1c0
    ? initcall_blacklisted+0x120/0x120
    ? kernel_init_freeable+0x27b/0x307
    ? rest_init+0xd0/0xd0
    ? kernel_init+0xf/0x120
    ? rest_init+0xd0/0xd0
    ? ret_from_fork+0x1f/0x40
   The buggy address belongs to the variable:
    dmar_pci_notify_info_buf+0x40/0x60

Fixes: 57384592c4 ("iommu/vt-d: Store bus information in RMRR PCI device path")
Signed-off-by: Julia Cartwright <julia@ni.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2019-02-26 11:24:37 +01:00
..
amd_iommu_debugfs.c iommu/amd: Add basic debugfs infrastructure for AMD IOMMU 2018-07-06 14:06:30 +02:00
amd_iommu_init.c Merge branches 'iommu/fixes', 'arm/renesas', 'arm/mediatek', 'arm/tegra', 'arm/omap', 'arm/smmu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-12-20 10:05:20 +01:00
amd_iommu_proto.h iommu/amd: Add basic debugfs infrastructure for AMD IOMMU 2018-07-06 14:06:30 +02:00
amd_iommu_types.h iommu/amd: Ignore page-mode 7 in free_sub_pt() 2018-11-15 16:40:53 +01:00
amd_iommu_v2.c iommu/amd: Use pr_fmt() 2018-11-28 09:47:41 +01:00
amd_iommu.c iommu/amd: Fix IOMMU page flush when detach device from a domain 2019-01-24 15:24:49 +01:00
arm-smmu-regs.h iommu/arm-smmu: Split out register defines 2017-08-15 17:34:48 +02:00
arm-smmu-v3.c Merge branches 'iommu/fixes', 'arm/renesas', 'arm/mediatek', 'arm/tegra', 'arm/omap', 'arm/smmu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-12-20 10:05:20 +01:00
arm-smmu.c Merge branches 'iommu/fixes', 'arm/renesas', 'arm/mediatek', 'arm/tegra', 'arm/omap', 'arm/smmu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-12-20 10:05:20 +01:00
dma-iommu.c IOMMU Updates for Linux v4.21 2019-01-01 15:55:29 -08:00
dmar.c iommu/dmar: Fix buffer overflow during PCI bus notification 2019-02-26 11:24:37 +01:00
exynos-iommu.c IOMMU Update for Linux v4.19 2018-08-24 13:10:38 -07:00
fsl_pamu_domain.c Merge branches 'arm/renesas', 'arm/smmu', 'ppc/pamu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-10-10 18:09:37 +02:00
fsl_pamu_domain.h iommu/pamu: Fix PAMU boot crash 2017-08-23 16:28:09 +02:00
fsl_pamu.c iommu: fsl_pamu: use for_each_of_cpu_node iterator 2018-09-28 14:25:58 -05:00
fsl_pamu.h iommu/pamu: Fix PAMU boot crash 2017-08-23 16:28:09 +02:00
intel_irq_remapping.c iommu/vt-d: Add 256-bit invalidation descriptor support 2018-12-11 10:45:58 +01:00
intel-iommu-debugfs.c iommu/vt-d: Add debugfs support to show context internals 2018-09-25 14:33:44 +02:00
intel-iommu.c iommu/vt-d: Leave scalable mode default off 2019-01-30 17:23:58 +01:00
intel-pasid.c iommu/vt-d: Shared virtual address in scalable mode 2018-12-11 10:46:00 +01:00
intel-pasid.h iommu/vt-d: Shared virtual address in scalable mode 2018-12-11 10:46:00 +01:00
intel-svm.c Merge branches 'iommu/fixes', 'arm/renesas', 'arm/mediatek', 'arm/tegra', 'arm/omap', 'arm/smmu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-12-20 10:05:20 +01:00
io-pgtable-arm-v7s.c Revert "iommu/io-pgtable-arm: Check for v7s-incapable systems" 2018-12-17 10:19:10 +01:00
io-pgtable-arm.c iommu/io-pgtable-arm: Add support for non-strict mode 2018-10-01 13:01:33 +01:00
io-pgtable.c iommu/io-pgtable: Fix a brace coding style issue. 2016-04-05 15:34:29 +02:00
io-pgtable.h iommu/io-pgtable-arm: Add support for non-strict mode 2018-10-01 13:01:33 +01:00
iommu-debugfs.c iommu: Enable debugfs exposure of IOMMU driver internals 2018-07-06 14:06:30 +02:00
iommu-sysfs.c iommu/sysfs: Rename iommu_release_device() 2018-12-17 12:47:49 +01:00
iommu-traces.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iommu.c iommu: Check for iommu_ops == NULL in iommu_probe_device() 2018-12-20 10:02:20 +01:00
iova.c iommu/iova: Optimise attempts to allocate iova from 32bit address range 2018-09-25 10:18:27 +02:00
ipmmu-vmsa.c Merge branches 'iommu/fixes', 'arm/renesas', 'arm/mediatek', 'arm/tegra', 'arm/omap', 'arm/smmu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-12-20 10:05:20 +01:00
irq_remapping.c irq_remapping: Remove unused header files 2018-12-03 14:26:12 +01:00
irq_remapping.h irq_remapping: Use apic_ack_irq() 2018-06-06 15:18:20 +02:00
Kconfig IOMMU Updates for Linux v4.20 2018-10-26 10:50:10 -07:00
Makefile iommu/vt-d: Enable base Intel IOMMU debugfs support 2018-09-25 14:33:43 +02:00
msm_iommu_hw-8xxx.h
msm_iommu.c iommu/msm: Make it explicitly non-modular 2018-12-03 14:32:03 +01:00
msm_iommu.h iommu/msm: Make use of iommu_device_register interface 2017-02-10 13:44:57 +01:00
mtk_iommu_v1.c iommu/mediatek: Use correct fwspec in mtk_iommu_add_device() 2019-01-23 13:51:05 +01:00
mtk_iommu.c Merge branches 'iommu/fixes', 'arm/renesas', 'arm/mediatek', 'arm/tegra', 'arm/omap', 'arm/smmu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-12-20 10:05:20 +01:00
mtk_iommu.h iommu/mediatek: Fix protect memory setting 2018-03-21 06:13:57 -05:00
of_iommu.c iommu/of: Fix probe-deferral 2019-01-11 12:28:24 +01:00
omap-iommu-debug.c iommu/omap: Remove DEBUG_SEQ_FOPS_RO() 2018-11-22 17:10:43 +01:00
omap-iommu.c Merge branches 'arm/shmobile', 'arm/renesas', 'arm/msm', 'arm/smmu', 'arm/omap', 'x86/amd', 'x86/vt-d' and 'core' into next 2018-08-08 12:02:27 +02:00
omap-iommu.h iommu/omap: Add support to program multiple iommus 2017-09-19 11:32:05 +02:00
omap-iopgtable.h
qcom_iommu.c iommu/qcom: Use helper functions to access dev->iommu_fwspec 2018-12-17 10:38:32 +01:00
rockchip-iommu.c iommu/rockchip: Make it explicitly non-modular 2018-12-03 14:32:03 +01:00
s390-iommu.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tegra-gart.c iommu/tegra: Make it explicitly non-modular 2018-12-03 14:32:03 +01:00
tegra-smmu.c Merge branches 'iommu/fixes', 'arm/renesas', 'arm/mediatek', 'arm/tegra', 'arm/omap', 'arm/smmu', 'x86/vt-d', 'x86/amd' and 'core' into next 2018-12-20 10:05:20 +01:00