[PATCH] um: vfio: bound the iommu_group sysfs path formatting

Next message: Tejun Heo: "Re: [PATCH for-7.1-fixes 1/2] rhashtable: add no_sync_grow option"
Previous message: Luka Gejak: "Re: [PATCH] staging: rtl8723bs: simplify boolean comparisons"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Fri Apr 17 2026 - 03:44:38 EST

uml_vfio_user_get_group_id() builds the iommu_group sysfs path in a
PATH_MAX buffer with sprintf() and an unvalidated device string.

If the device component is long enough, the formatted path runs past the
end of the heap buffer before readlink() is attempted.

Use snprintf() and reject device strings whose formatted path does not
fit in PATH_MAX.

Fixes: a0e2cb6a9063 ("um: Add VFIO-based virtual PCI driver")

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/um/drivers/vfio_user.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/um/drivers/vfio_user.c b/arch/um/drivers/vfio_user.c
index 6a45d8e14582..5230e18b5b53 100644
--- a/arch/um/drivers/vfio_user.c
+++ b/arch/um/drivers/vfio_user.c
@@ -81,7 +81,12 @@ int uml_vfio_user_get_group_id(const char *device)
if (!path)
return -ENOMEM;

- sprintf(path, "/sys/bus/pci/devices/%s/iommu_group", device);
+ r = snprintf(path, PATH_MAX, "/sys/bus/pci/devices/%s/iommu_group",
+ device);
+ if (r >= PATH_MAX) {
+ r = -ENAMETOOLONG;
+ goto free_path;
+ }

buf = uml_kmalloc(PATH_MAX + 1, UM_GFP_KERNEL);
if (!buf) {
--
2.50.1 (Apple Git-155)