i3c: master: svc: IBI payload not bounded by max_payload_len

i3c: master: svc: IBI payload not bounded by max_payload_len

[Maoyi Xie]

Hi all,

I think svc_i3c_master_handle_ibi() in drivers/i3c/master/svc-i3c-master.c
can write past the IBI slot buffer when a device sends a large IBI payload.
I would appreciate it if you could let me know whether you agree.

The read loop bounds the slot only by the hardware FIFO size, not by the
requested max_payload_len.

	slot->len = 0;
	buf = slot->data;
	while (SVC_I3C_MSTATUS_RXPEND(...) && slot->len < SVC_I3C_FIFO_SIZE) {
		mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
		count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
		readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
		slot->len += count;
		buf += count;
	}

slot->data points into the IBI pool. i3c_generic_ibi_alloc_pool() sizes each
slot at max_payload_len. svc_i3c_master_request_ibi() only rejects a
max_payload_len above SVC_I3C_FIFO_SIZE (16). So a driver can ask for a small
window, and mctp-i3c asks for 1. count comes from the controller RXCOUNT
field and can be up to 31. The loop stops at SVC_I3C_FIFO_SIZE, not at the
window. A device that sends more bytes than the window overruns slot->data
into the pool.

dw-i3c and mipi-i3c-hci bound this same read against max_payload_len. dw-i3c
has "if (dev->ibi->max_payload_len < len)". svc looks like the one that
bounds by the FIFO size instead.

I reproduced the write on 7.1-rc7 by running the same loop into a 2 byte
window.

  BUG: KASAN: slab-out-of-bounds in ...
  ... located 0 bytes to the right of a 2-byte region ... Write

Bounding the drain by max_payload_len, like dw-i3c does, would close it.
Does this look like a real bug to you, and is that the right fix? I am happy
to send a proper patch once you confirm.

Kaixuan Li and I found this together.

Thanks,
Maoyi
https://maoyixie.com/

-- 
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c

Re: i3c: master: svc: IBI payload not bounded by max_payload_len

[Miquel Raynal]

Hi,

On 23/06/2026 at 16:17:38 +08, Maoyi Xie <maoyixie.tju@gmail.com> wrote:

> Hi all,
>
> I think svc_i3c_master_handle_ibi() in drivers/i3c/master/svc-i3c-master.c
> can write past the IBI slot buffer when a device sends a large IBI payload.
> I would appreciate it if you could let me know whether you agree.
>
> The read loop bounds the slot only by the hardware FIFO size, not by the
> requested max_payload_len.
>
> 	slot->len = 0;
> 	buf = slot->data;
> 	while (SVC_I3C_MSTATUS_RXPEND(...) && slot->len < SVC_I3C_FIFO_SIZE) {
> 		mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
> 		count = SVC_I3C_MDATACTRL_RXCOUNT(mdatactrl);
> 		readsb(master->regs + SVC_I3C_MRDATAB, buf, count);
> 		slot->len += count;
> 		buf += count;
> 	}
>
> slot->data points into the IBI pool. i3c_generic_ibi_alloc_pool() sizes each
> slot at max_payload_len. svc_i3c_master_request_ibi() only rejects a
> max_payload_len above SVC_I3C_FIFO_SIZE (16). So a driver can ask for a small
> window, and mctp-i3c asks for 1. count comes from the controller RXCOUNT
> field and can be up to 31. The loop stops at SVC_I3C_FIFO_SIZE, not at the
> window. A device that sends more bytes than the window overruns slot->data
> into the pool.

It is indeed possible. Please send a patch!

Thanks,
Miquèl

-- 
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c