From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 773362E7379; Thu, 28 May 2026 20:44:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780001068; cv=none; b=uBTcRp1uzYvZQUSEFfX0crB/aIlmRCPaCKuBZEXPkvITukzN/ybvRFWD1WNxzMdzekWp3hPups8tRo6UN9Mm0ygPKmH0UlA18nzXJVdhW+4k52kNYBDHGnCdGUqEr1uI2LVlpwk/kA9BXYvKmuTNVYjY6M2eAohxBNHLkJm9Hd0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780001068; c=relaxed/simple; bh=wx6o3b+6sJbeyTNCuQYWdxzmZTNGs46Javx8kCksQkM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jFmO6+xGwNCzY/2PaGjsOPhE/IXjolOzdgNkInk7IKVaCWkLxE1TQkolCYokQCFDuWh940Ij7SAyr8XdwD6UgLrAinB4uKNxVzGMDbqFTDT+Ur5NcM1ORDq0aKFBFkD5kRcqqgZp4G+QS0h2oaP3NzgrUGPDE0HmPAHQQZyfr5A= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=SLyPzZzg; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="SLyPzZzg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 876FE1F000E9; Thu, 28 May 2026 20:44:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780001067; bh=ZXjKBYt55g+JFl6rRXiv0nc+OftVYi+f7+WgDMwybC0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=SLyPzZzgJVz7NCGQFv1/FX35sOakpuHghQqFn0YRKeUo41KZZpeNlGYhQPlzVDTrG t1M7kHrcqnah2LFQswINMpg/FCxO6KBNqM5Tf0s+0EaWocRn/IXOEUXQkAp/M/PEZ+ 858GiMQmttOSLLnmqxKi0vNJWHqq6UxLiCWdtSiY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Aditya Garg , Haiyang Zhang , Jakub Kicinski , Sasha Levin Subject: [PATCH 6.12 268/272] net: mana: validate rx_req_idx to prevent out-of-bounds array access Date: Thu, 28 May 2026 21:50:42 +0200 Message-ID: <20260528194636.582444410@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260528194629.379955525@linuxfoundation.org> References: <20260528194629.379955525@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Aditya Garg [ Upstream commit b809d0409991b75a6cff846a5ac27c3062953f84 ] In mana_hwc_rx_event_handler(), rx_req_idx is derived from sge->address in DMA-coherent memory. In Confidential VMs (SEV-SNP/TDX), this memory is shared unencrypted and HW can modify WQE contents at any time. No bounds check exists on rx_req_idx, which can lead to an out-of-bounds access into reqs[]. Add bounds check on rx_req_idx in mana_hwc_rx_event_handler() before using it to index the reqs[] array. Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Aditya Garg Reviewed-by: Haiyang Zhang Link: https://patch.msgid.link/20260520051553.857120-1-gargaditya@linux.microsoft.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/ethernet/microsoft/mana/hw_channel.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c index f8971844e6d8e..fef0edc90eac9 100644 --- a/drivers/net/ethernet/microsoft/mana/hw_channel.c +++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c @@ -233,6 +233,12 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id, rq_base_addr = hwc_rxq->msg_buf->mem_info.dma_handle; rx_req_idx = (sge->address - rq_base_addr) / hwc->max_req_msg_size; + if (rx_req_idx >= hwc_rxq->msg_buf->num_reqs) { + dev_err(hwc->dev, "HWC RX: wrong rx_req_idx=%llu, num_reqs=%u\n", + rx_req_idx, hwc_rxq->msg_buf->num_reqs); + return; + } + rx_req = &hwc_rxq->msg_buf->reqs[rx_req_idx]; resp = (struct gdma_resp_hdr *)rx_req->buf_va; -- 2.53.0