iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter

The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
because the string specifier in the format string sscanf()
has no width limitation.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Cc: stable@vger.kernel.org
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Kim Phillips <kim.phillips@amd.com>
Link: https://lore.kernel.org/r/20230202082719.1513849-1-Ilia.Gavrilov@infotecs.ru
Signed-off-by: Joerg Roedel <jroedel@suse.de>

diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index 467b194975b30fe4a33a7adce186e5f4a04824e6..19a46b9f73574f6ffb68979090953d8fe9490d56 100644 (file)
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3475,15 +3475,26 @@ found:
        return 1;
 }
 
+#define ACPIID_LEN (ACPIHID_UID_LEN + ACPIHID_HID_LEN)
+
 static int __init parse_ivrs_acpihid(char *str)
 {
        u32 seg = 0, bus, dev, fn;
        char *hid, *uid, *p, *addr;
-       char acpiid[ACPIHID_UID_LEN + ACPIHID_HID_LEN] = {0};
+       char acpiid[ACPIID_LEN] = {0};
        int i;
 
        addr = strchr(str, '@');
        if (!addr) {
+               addr = strchr(str, '=');
+               if (!addr)
+                       goto not_found;
+
+               ++addr;
+
+               if (strlen(addr) > ACPIID_LEN)
+                       goto not_found;
+
                if (sscanf(str, "[%x:%x.%x]=%s", &bus, &dev, &fn, acpiid) == 4 ||
                    sscanf(str, "[%x:%x:%x.%x]=%s", &seg, &bus, &dev, &fn, acpiid) == 5) {
                        pr_warn("ivrs_acpihid%s option format deprecated; use ivrs_acpihid=%s@%04x:%02x:%02x.%d instead\n",
@@ -3496,6 +3507,9 @@ static int __init parse_ivrs_acpihid(char *str)
        /* We have the '@', make it the terminator to get just the acpiid */
        *addr++ = 0;
 
+       if (strlen(str) > ACPIID_LEN + 1)
+               goto not_found;
+
        if (sscanf(str, "=%s", acpiid) != 1)
                goto not_found;