Commit 8503d0fc authored Aug 04, 2025 by Kees Cook Committed by Joerg Roedel Aug 15, 2025

iommu/amd: Avoid stack buffer overflow from kernel cmdline

While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.

Reported-by: Simcha Kosman <simcha.kosman@cyberark.com>
Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM

Fixes: b6b26d86 ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Ankit Soni <Ankit.Soni@amd.com>
Link: https://lore.kernel.org/r/20250804154023.work.970-kees@kernel.org

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>

parent 8f5ae30d

drivers/iommu/amd/init.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -3638,7 +3638,7 @@ static int __init parse_ivrs_acpihid(char *str)
		{
		u32 seg = 0, bus, dev, fn;
		char hid, uid, p, addr;
		char acpiid[ACPIID_LEN] = {0};
		char acpiid[ACPIID_LEN + 1] = { }; /* size with NULL terminator */
		int i;

		addr = strchr(str, '@');
		@@ -3664,7 +3664,7 @@ static int __init parse_ivrs_acpihid(char *str)
		/* We have the '@', make it the terminator to get just the acpiid */
		*addr++ = 0;

		if (strlen(str) > ACPIID_LEN + 1)
		if (strlen(str) > ACPIID_LEN)
		goto not_found;

		if (sscanf(str, "=%s", acpiid) != 1)