From: Greg KH <gregkh@linuxfoundation.org>
To: w15303746062@163.com
Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, kees@kernel.org,
stable@vger.kernel.org,
Mingyu Wang <25181214217@stu.xidian.edu.cn>
Subject: Re: [PATCH v4 2/2] misc: ibmasm: Fix dynamic out-of-bounds MMIO access via malicious MFA
Date: Fri, 17 Jul 2026 14:37:08 +0200 [thread overview]
Message-ID: <2026071745-bamboo-aerobics-7657@gregkh> (raw)
In-Reply-To: <20260624032425.384325-3-w15303746062@163.com>
On Wed, Jun 24, 2026 at 11:24:25AM +0800, w15303746062@163.com wrote:
> From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
>
> The ibmasm driver reads dynamic Message Frame Addresses (MFA) from
> hardware queues and uses them directly as offsets to dereference I2O
> messages via get_i2o_message().
>
> If a malformed or fuzzed device provides a malicious MFA, it can cause
> the driver to access memory far beyond the mapped BAR, leading to an
> out-of-bounds (OOB) access and potential kernel panic during runtime.
>
> Fix this by validating the target offset against the actual mapped size
> before dereferencing. This validation strictly accounts for both the
> i2o_header and the dynamic payload size using safe subtraction to prevent
> integer overflow bypasses.
>
> If the bounds check fails, the invalid MFA is released back to the
> inbound queue via set_mfa_inbound() to prevent a hardware mailbox deadlock.
>
> Fixes: bdbeed75b288 ("pci: use pci_ioremap_bar() in drivers/misc")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
> ---
> drivers/misc/ibmasm/lowlevel.c | 30 ++++++++++++++++++++++++++----
> drivers/misc/ibmasm/lowlevel.h | 25 +++++++++++++++++++++++--
> 2 files changed, 49 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/misc/ibmasm/lowlevel.c b/drivers/misc/ibmasm/lowlevel.c
> index 5313230f36ad..68dd493a7953 100644
> --- a/drivers/misc/ibmasm/lowlevel.c
> +++ b/drivers/misc/ibmasm/lowlevel.c
> @@ -9,7 +9,6 @@
>
> #include "ibmasm.h"
> #include "lowlevel.h"
> -#include "i2o.h"
> #include "dot_command.h"
> #include "remote.h"
>
> @@ -34,7 +33,13 @@ int ibmasm_send_i2o_message(struct service_processor *sp)
> return 1;
>
> header.message_size = outgoing_message_size((unsigned int)command_size);
> - message = get_i2o_message(sp->base_address, mfa);
> + message = get_i2o_message(sp->base_address, sp->mapped_size, mfa,
> + sizeof(struct i2o_header) + command_size);
> + if (!message) {
> + /* Release the allocated inbound MFA to prevent mailbox deadlock */
> + set_mfa_inbound(sp->base_address, mfa);
> + return 1;
> + }
>
> memcpy_toio(&message->header, &header, sizeof(struct i2o_header));
> memcpy_toio(&message->data, command->buffer, command_size);
> @@ -63,8 +68,25 @@ irqreturn_t ibmasm_interrupt_handler(int irq, void * dev_id)
>
> mfa = get_mfa_outbound(base_address);
> if (valid_mfa(mfa)) {
> - struct i2o_message *msg = get_i2o_message(base_address, mfa);
> - ibmasm_receive_message(sp, &msg->data, incoming_data_size(msg));
> + struct i2o_message *msg = get_i2o_message(base_address,
> + sp->mapped_size, mfa,
> + sizeof(struct i2o_header));
> + if (msg) {
> + u32 data_size = incoming_data_size(msg);
> + u32 offset = GET_MFA_ADDR(mfa);
> +
> + /*
> + * Secondary check for dynamic payload size.
> + * Use subtraction to perfectly prevent integer overflow.
> + */
> + if (unlikely(data_size > sp->mapped_size - offset -
> + sizeof(struct i2o_header)))
> + dbg("received mfa payload out of bounds\n");
> + else
> + ibmasm_receive_message(sp, &msg->data, data_size);
> + } else {
> + dbg("received mfa header out of bounds\n");
> + }
> } else
> dbg("didn't get a valid MFA\n");
>
> diff --git a/drivers/misc/ibmasm/lowlevel.h b/drivers/misc/ibmasm/lowlevel.h
> index 545dfe384117..c0f08106c52c 100644
> --- a/drivers/misc/ibmasm/lowlevel.h
> +++ b/drivers/misc/ibmasm/lowlevel.h
> @@ -13,6 +13,9 @@
> #define __IBMASM_CONDOR_H__
>
> #include <asm/io.h>
> +#include <linux/compiler.h>
> +#include <linux/types.h>
> +#include "i2o.h"
>
> #define VENDORID_IBM 0x1014
> #define DEVICEID_RSA 0x010F
> @@ -118,9 +121,27 @@ static inline void set_mfa_inbound(void __iomem *base_address, u32 mfa)
> writel(mfa, base_address + INBOUND_QUEUE_PORT);
> }
>
> -static inline struct i2o_message *get_i2o_message(void __iomem *base_address, u32 mfa)
> +/**
> + * get_i2o_message - Convert MFA to i2o_message pointer with bounds check
> + * @base_address: BAR 0 virtual address
> + * @mapped_size: actual size of BAR 0 mapping
> + * @mfa: Message Frame Address from hardware
> + * @msg_size: Required size of the message (header + payload)
> + *
> + * Returns NULL if the offset derived from @mfa does not fit within
> + * the mapped BAR (including the i2o_message header).
> + */
> +static inline struct i2o_message *get_i2o_message(void __iomem *base_address,
> + resource_size_t mapped_size,
> + u32 mfa, size_t msg_size)
> {
> - return (struct i2o_message *)(GET_MFA_ADDR(mfa) + base_address);
> + u32 offset = GET_MFA_ADDR(mfa);
> +
> + /* Prevent read/write beyond the ioremap region and avoid integer underflow/overflow */
> + if (unlikely(offset > mapped_size || msg_size > mapped_size - offset))
> + return NULL;
> +
> + return (struct i2o_message *)(offset + base_address);
> }
That is a big function to inline, are you sure it's still needed that
way and shouldn't just go in the .c file?
thanks,
greg k-h
next prev parent reply other threads:[~2026-07-17 12:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 3:24 [PATCH v4 0/2] misc: ibmasm: Fix out-of-bounds MMIO accesses w15303746062
2026-06-24 3:24 ` [PATCH v4 1/2] misc: ibmasm: Fix static out-of-bounds MMIO access during probe w15303746062
2026-06-24 3:24 ` [PATCH v4 2/2] misc: ibmasm: Fix dynamic out-of-bounds MMIO access via malicious MFA w15303746062
2026-06-27 1:34 ` w15303746062
2026-07-17 12:37 ` Greg KH [this message]
2026-07-17 15:13 ` [PATCH " Mingyu Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026071745-bamboo-aerobics-7657@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=25181214217@stu.xidian.edu.cn \
--cc=arnd@arndb.de \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=w15303746062@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox