diff options
| author | Kees Cook <[email protected]> | 2025-08-04 15:40:27 +0000 |
|---|---|---|
| committer | Joerg Roedel <[email protected]> | 2025-08-15 09:50:47 +0000 |
| commit | 8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec (patch) | |
| tree | a06f03cebaf33b49cd80f97ac1eb683013898f41 /drivers/iommu/amd/init.c | |
| parent | Linux 6.17-rc1 (diff) | |
| download | kernel-8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec.tar.gz kernel-8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec.zip | |
iommu/amd: Avoid stack buffer overflow from kernel cmdline
While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.
Reported-by: Simcha Kosman <[email protected]>
Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
Signed-off-by: Kees Cook <[email protected]>
Reviewed-by: Ankit Soni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Joerg Roedel <[email protected]>
Diffstat (limited to 'drivers/iommu/amd/init.c')
| -rw-r--r-- | drivers/iommu/amd/init.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c index 7b5af6176de9..8de689b2c5ed 100644 --- a/drivers/iommu/amd/init.c +++ b/drivers/iommu/amd/init.c @@ -3638,7 +3638,7 @@ static int __init parse_ivrs_acpihid(char *str) { u32 seg = 0, bus, dev, fn; char *hid, *uid, *p, *addr; - char acpiid[ACPIID_LEN] = {0}; + char acpiid[ACPIID_LEN + 1] = { }; /* size with NULL terminator */ int i; addr = strchr(str, '@'); @@ -3664,7 +3664,7 @@ static int __init parse_ivrs_acpihid(char *str) /* We have the '@', make it the terminator to get just the acpiid */ *addr++ = 0; - if (strlen(str) > ACPIID_LEN + 1) + if (strlen(str) > ACPIID_LEN) goto not_found; if (sscanf(str, "=%s", acpiid) != 1) |