From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E870917555; Sat, 30 May 2026 18:19:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780165193; cv=none; b=SFIAuD48gBdRRkh7GuRjN59iCM2FawsQ5BjEVeVsrycJdekqz7w2K8XGrWX7cqscDQNtokFG57mC0FKgpsTLLRO+N4KIitXXrW67TqGdsDFqGToDs5ZXPx+bJT62BY1yhA/QKKbW+MwhPS6FZotv97YDrzQHXq7dkqLq8JrvfE4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780165193; c=relaxed/simple; bh=bFF7g0SHRfvbUYdb6L66TOAtETH7/JlOuQ6Qm2EqSwQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e52/rxHGCaeTJnL7jP5H11GdsQLf6BXug0qEziPBdWaZkOt4vLkR7/l7He+FXVHRdnGP0s8aCw6r3UTZlEqEmXPjZ+ln8/DrURm7A3u/B2SZEu2+/oDUASqqf4snKLCKjKT94mtD9zrt/fiV7W/nId/uhF2weTfvKlQrfDcKNSo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=hUhbSPN5; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="hUhbSPN5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 35AC01F00893; Sat, 30 May 2026 18:19:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780165192; bh=V8B3qC7KTxCqD9n6xJtGla6jKlpkXRgn+Pl7T6w0VHo=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=hUhbSPN5KISXV8ZSfQUHTo9tWW5277K1za4xDnkHGyNjzG5yYwZnsorpLsame6v5E A3X/ccUVroixq6BGzBPyOVyWgjm6QRfWYwmbcMHhwGPRIlmF4In3T2xq7j4jnux4pX PZGrecuffL6xuzZEJqXV8dB2bg0x+SAOw/rjKVJY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Aditya Garg , Haiyang Zhang , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.15 776/776] net: mana: validate rx_req_idx to prevent out-of-bounds array access Date: Sat, 30 May 2026 18:08:10 +0200 Message-ID: <20260530160259.752242011@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260530160240.228940103@linuxfoundation.org> References: <20260530160240.228940103@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Aditya Garg [ Upstream commit b809d0409991b75a6cff846a5ac27c3062953f84 ] In mana_hwc_rx_event_handler(), rx_req_idx is derived from sge->address in DMA-coherent memory. In Confidential VMs (SEV-SNP/TDX), this memory is shared unencrypted and HW can modify WQE contents at any time. No bounds check exists on rx_req_idx, which can lead to an out-of-bounds access into reqs[]. Add bounds check on rx_req_idx in mana_hwc_rx_event_handler() before using it to index the reqs[] array. Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Aditya Garg Reviewed-by: Haiyang Zhang Link: https://patch.msgid.link/20260520051553.857120-1-gargaditya@linux.microsoft.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c index 91b1af1d72eb8..f2542bb9254fc 100644 --- a/drivers/net/ethernet/microsoft/mana/hw_channel.c +++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c @@ -206,6 +206,12 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id, rq_base_addr = hwc_rxq->msg_buf->mem_info.dma_handle; rx_req_idx = (sge->address - rq_base_addr) / hwc->max_req_msg_size; + if (rx_req_idx >= hwc_rxq->msg_buf->num_reqs) { + dev_err(hwc->dev, "HWC RX: wrong rx_req_idx=%llu, num_reqs=%u\n", + rx_req_idx, hwc_rxq->msg_buf->num_reqs); + return; + } + rx_req = &hwc_rxq->msg_buf->reqs[rx_req_idx]; resp = (struct gdma_resp_hdr *)rx_req->buf_va; -- 2.53.0