mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: w15303746062@163.com
Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, kees@kernel.org,
	stable@vger.kernel.org,
	Mingyu Wang <25181214217@stu.xidian.edu.cn>
Subject: Re: [PATCH v4 2/2] misc: ibmasm: Fix dynamic out-of-bounds MMIO access via malicious MFA
Date: Fri, 17 Jul 2026 14:37:08 +0200	[thread overview]
Message-ID: <2026071745-bamboo-aerobics-7657@gregkh> (raw)
In-Reply-To: <20260624032425.384325-3-w15303746062@163.com>

On Wed, Jun 24, 2026 at 11:24:25AM +0800, w15303746062@163.com wrote:
> From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
> 
> The ibmasm driver reads dynamic Message Frame Addresses (MFA) from
> hardware queues and uses them directly as offsets to dereference I2O
> messages via get_i2o_message().
> 
> If a malformed or fuzzed device provides a malicious MFA, it can cause
> the driver to access memory far beyond the mapped BAR, leading to an
> out-of-bounds (OOB) access and potential kernel panic during runtime.
> 
> Fix this by validating the target offset against the actual mapped size
> before dereferencing. This validation strictly accounts for both the
> i2o_header and the dynamic payload size using safe subtraction to prevent
> integer overflow bypasses.
> 
> If the bounds check fails, the invalid MFA is released back to the
> inbound queue via set_mfa_inbound() to prevent a hardware mailbox deadlock.
> 
> Fixes: bdbeed75b288 ("pci: use pci_ioremap_bar() in drivers/misc")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
> ---
>  drivers/misc/ibmasm/lowlevel.c | 30 ++++++++++++++++++++++++++----
>  drivers/misc/ibmasm/lowlevel.h | 25 +++++++++++++++++++++++--
>  2 files changed, 49 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/misc/ibmasm/lowlevel.c b/drivers/misc/ibmasm/lowlevel.c
> index 5313230f36ad..68dd493a7953 100644
> --- a/drivers/misc/ibmasm/lowlevel.c
> +++ b/drivers/misc/ibmasm/lowlevel.c
> @@ -9,7 +9,6 @@
>  
>  #include "ibmasm.h"
>  #include "lowlevel.h"
> -#include "i2o.h"
>  #include "dot_command.h"
>  #include "remote.h"
>  
> @@ -34,7 +33,13 @@ int ibmasm_send_i2o_message(struct service_processor *sp)
>  		return 1;
>  
>  	header.message_size = outgoing_message_size((unsigned int)command_size);
> -	message = get_i2o_message(sp->base_address, mfa);
> +	message = get_i2o_message(sp->base_address, sp->mapped_size, mfa,
> +				  sizeof(struct i2o_header) + command_size);
> +	if (!message) {
> +		/* Release the allocated inbound MFA to prevent mailbox deadlock */
> +		set_mfa_inbound(sp->base_address, mfa);
> +		return 1;
> +	}
>  
>  	memcpy_toio(&message->header, &header, sizeof(struct i2o_header));
>  	memcpy_toio(&message->data, command->buffer, command_size);
> @@ -63,8 +68,25 @@ irqreturn_t ibmasm_interrupt_handler(int irq, void * dev_id)
>  
>  	mfa = get_mfa_outbound(base_address);
>  	if (valid_mfa(mfa)) {
> -		struct i2o_message *msg = get_i2o_message(base_address, mfa);
> -		ibmasm_receive_message(sp, &msg->data, incoming_data_size(msg));
> +		struct i2o_message *msg = get_i2o_message(base_address,
> +							  sp->mapped_size, mfa,
> +							  sizeof(struct i2o_header));
> +		if (msg) {
> +			u32 data_size = incoming_data_size(msg);
> +			u32 offset = GET_MFA_ADDR(mfa);
> +
> +			/*
> +			 * Secondary check for dynamic payload size.
> +			 * Use subtraction to perfectly prevent integer overflow.
> +			 */
> +			if (unlikely(data_size > sp->mapped_size - offset -
> +						 sizeof(struct i2o_header)))
> +				dbg("received mfa payload out of bounds\n");
> +			else
> +				ibmasm_receive_message(sp, &msg->data, data_size);
> +		} else {
> +			dbg("received mfa header out of bounds\n");
> +		}
>  	} else
>  		dbg("didn't get a valid MFA\n");
>  
> diff --git a/drivers/misc/ibmasm/lowlevel.h b/drivers/misc/ibmasm/lowlevel.h
> index 545dfe384117..c0f08106c52c 100644
> --- a/drivers/misc/ibmasm/lowlevel.h
> +++ b/drivers/misc/ibmasm/lowlevel.h
> @@ -13,6 +13,9 @@
>  #define __IBMASM_CONDOR_H__
>  
>  #include <asm/io.h>
> +#include <linux/compiler.h>
> +#include <linux/types.h>
> +#include "i2o.h"
>  
>  #define VENDORID_IBM	0x1014
>  #define DEVICEID_RSA	0x010F
> @@ -118,9 +121,27 @@ static inline void set_mfa_inbound(void __iomem *base_address, u32 mfa)
>  	writel(mfa, base_address + INBOUND_QUEUE_PORT);
>  }
>  
> -static inline struct i2o_message *get_i2o_message(void __iomem *base_address, u32 mfa)
> +/**
> + * get_i2o_message - Convert MFA to i2o_message pointer with bounds check
> + * @base_address: BAR 0 virtual address
> + * @mapped_size:  actual size of BAR 0 mapping
> + * @mfa:          Message Frame Address from hardware
> + * @msg_size:     Required size of the message (header + payload)
> + *
> + * Returns NULL if the offset derived from @mfa does not fit within
> + * the mapped BAR (including the i2o_message header).
> + */
> +static inline struct i2o_message *get_i2o_message(void __iomem *base_address,
> +						  resource_size_t mapped_size,
> +						  u32 mfa, size_t msg_size)
>  {
> -	return (struct i2o_message *)(GET_MFA_ADDR(mfa) + base_address);
> +	u32 offset = GET_MFA_ADDR(mfa);
> +
> +	/* Prevent read/write beyond the ioremap region and avoid integer underflow/overflow */
> +	if (unlikely(offset > mapped_size || msg_size > mapped_size - offset))
> +		return NULL;
> +
> +	return (struct i2o_message *)(offset + base_address);
>  }

That is a big function to inline, are you sure it's still needed that
way and shouldn't just go in the .c file?

thanks,

greg k-h

  parent reply	other threads:[~2026-07-17 12:37 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-24  3:24 [PATCH v4 0/2] misc: ibmasm: Fix out-of-bounds MMIO accesses w15303746062
2026-06-24  3:24 ` [PATCH v4 1/2] misc: ibmasm: Fix static out-of-bounds MMIO access during probe w15303746062
2026-06-24  3:24 ` [PATCH v4 2/2] misc: ibmasm: Fix dynamic out-of-bounds MMIO access via malicious MFA w15303746062
2026-06-27  1:34   ` w15303746062
2026-07-17 12:37   ` Greg KH [this message]
2026-07-17 15:13     ` [PATCH " Mingyu Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026071745-bamboo-aerobics-7657@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=25181214217@stu.xidian.edu.cn \
    --cc=arnd@arndb.de \
    --cc=kees@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=w15303746062@163.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox