On Wed, Feb 20, 2019 at 10:46:31AM -0600, Julia Cartwright wrote:
> Commit 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
> device path") changed the type of the path data, however, the change in
> path type was not reflected in size calculations. Update to use the
> correct type and prevent a buffer overflow.
>
> This bug manifests in systems with deep PCI hierarchies, and can lead to
> an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
> or can lead to overflow of slab-allocated data.
>
> BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
> Write of size 1 at addr ffffffff90445d80 by task swapper/0/1
> CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W
> 4.14.87-rt49-02406-gd0a0e96 #1
> Call Trace:
> ? dump_stack+0x46/0x59
> ? print_address_description+0x1df/0x290
[..]
> The buggy address belongs to the variable:
> dmar_pci_notify_info_buf+0x40/0x60
>
> Fixes: 57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device
> path")
> Signed-off-by: Julia Cartwright <ju...@ni.com>
> ---
> drivers/iommu/dmar.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
> index 6b7df25e1488..9c49300e9fb7 100644
> --- a/drivers/iommu/dmar.c
> +++ b/drivers/iommu/dmar.c
> @@ -145,7 +145,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned
> long event)
> for (tmp = dev; tmp; tmp = tmp->bus->self)
> level++;
>
> - size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
> + size = sizeof(*info) + level * sizeof(info->path[0]);
This is probably a candidate for struct_size() instead, if that's what
is preferred.
Julia
