Re: [PATCH v3 fwctl 4/5] fwctl/bnxt_fwctl: Add bnxt fwctl device

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jason Gunthorpe <jgg@ziepe.ca>
To: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Cc: Pavan Chebbi <pavan.chebbi@broadcom.com>,
	Saeed Mahameed <saeedm@nvidia.com>,
	michael.chan@broadcom.com, linux-kernel@vger.kernel.org,
	dave.jiang@intel.com, Jonathan.Cameron@huawei.com,
	gospo@broadcom.com, selvin.xavier@broadcom.com, leon@kernel.org,
	kalesh-anakkur.purayil@broadcom.com
Subject: Re: [PATCH v3 fwctl 4/5] fwctl/bnxt_fwctl: Add bnxt fwctl device
Date: Thu, 5 Feb 2026 14:42:06 -0400	[thread overview]
Message-ID: <20260205184206.GP2328995@ziepe.ca> (raw)
In-Reply-To: <CACDg6nVDh4MXwnNzo5H5MfZ7-NeJ4c2J3SmFw9wZub_nEvbgpA@mail.gmail.com>

On Thu, Feb 05, 2026 at 12:47:53PM -0500, Andy Gospodarek wrote:

>    Jason, this is all done in bnxtctl_fw_rpc() and the functions it calls
>    in this (or the v4 version) of this patch.

Oh.. No.. You can't do this:

+	rpc_in.msg = memdup_user(u64_to_user_ptr(msg->req), msg->req_len);
         // ^^ eventually becomes fw_msg
+		dma_ptr = fw_msg->msg + msg->offset;
+		*(__le64 *)(dma_ptr) = cpu_to_le64(dma_addr[i]);

There is nothing in here which ensures that every DMA physical address
in the mailbox given from userspace is *actually forced to a value by
the kernel*

The kernel only overwrites values from the user controlled struct
fwctl_dma_info_bnxt array.

Meaning userspace can just specify any physical address in the
message, not include any fwctl_dma_info_bnxt list and it will happily
send the user controlled physical address to the FW. Thus userspace
can DMA to whatever memory it likes.

IOW this is a *HUGE* security error!

You are going to struggle very much supporting this kind of ill suited
FW API through this interface, I think you need to rework the FW
protocol...

Or add some very complex kernel validation and do something about
forward compatibility...

Or only support commands the FW promises will never have a DMA address
in them.

Shouldn't you guys have caught this during your security review?
"don't DMA to random memory" is a very clear fundamental thing in the
fwctl rules!

Jason

next prev parent reply	other threads:[~2026-02-05 18:42 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-29 15:54 [PATCH v3 fwctl 0/5] fwctl/bnxt_fwctl: fwctl for Broadcom Netxtreme devices Pavan Chebbi
2026-01-29 15:54 ` [PATCH v3 fwctl 1/5] fwctl/bnxt_en: Move common definitions to include/linux/bnxt/ Pavan Chebbi
2026-01-29 15:54 ` [PATCH v3 fwctl 2/5] fwctl/bnxt_en: Refactor aux bus functions to be more generic Pavan Chebbi
2026-01-30 11:37   ` Jonathan Cameron
2026-01-30 12:26     ` Pavan Chebbi
2026-02-04 23:44   ` Saeed Mahameed
2026-02-05  4:00     ` Pavan Chebbi
2026-02-05  8:41       ` Pavan Chebbi
2026-01-29 15:54 ` [PATCH v3 fwctl 3/5] fwctl/bnxt_en: Create an aux device for fwctl Pavan Chebbi
2026-01-30 11:39   ` Jonathan Cameron
2026-02-04 23:47   ` Saeed Mahameed
2026-01-29 15:54 ` [PATCH v3 fwctl 4/5] fwctl/bnxt_fwctl: Add bnxt fwctl device Pavan Chebbi
2026-01-30 12:03   ` Jonathan Cameron
2026-01-30 15:19     ` Jason Gunthorpe
2026-02-05  0:19   ` Saeed Mahameed
2026-02-05  4:25     ` Pavan Chebbi
2026-02-05 15:09       ` Pavan Chebbi
2026-02-05 17:33       ` Jason Gunthorpe
2026-02-05 17:47         ` Andy Gospodarek
2026-02-05 18:42           ` Jason Gunthorpe [this message]
2026-02-06  0:19             ` Andy Gospodarek
2026-02-06  0:39               ` Jason Gunthorpe
2026-02-06  1:24                 ` Pavan Chebbi
2026-02-06  1:29                   ` Jason Gunthorpe
2026-02-06  4:45             ` Pavan Chebbi
2026-02-09 13:41               ` Andy Gospodarek
2026-02-17 14:43             ` Pavan Chebbi
2026-01-29 15:54 ` [PATCH v3 fwctl 5/5] fwctl/bnxt_fwctl: Add documentation entries Pavan Chebbi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260205184206.GP2328995@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=Jonathan.Cameron@huawei.com \
    --cc=andrew.gospodarek@broadcom.com \
    --cc=dave.jiang@intel.com \
    --cc=gospo@broadcom.com \
    --cc=kalesh-anakkur.purayil@broadcom.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=michael.chan@broadcom.com \
    --cc=pavan.chebbi@broadcom.com \
    --cc=saeedm@nvidia.com \
    --cc=selvin.xavier@broadcom.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox