From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vk1-f170.google.com (mail-vk1-f170.google.com [209.85.221.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0839137CD5A for ; Wed, 22 Apr 2026 16:05:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873908; cv=none; b=m14Le7Wm2d0/UrOyUScgoEP5N0dhiLuTOeCHRFafO/pNXfE5j/90H/vql3QYLLR2YWtVyMLRqN9WpBb8zgUuPLEZA+T20DYV14UZYP+HnjLQzCUJsvegNUN4JFLCnWv+qx1oeJsIBbeMFGPqrKinUDq+S2cQJ9oWfudhNzbYppo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776873908; c=relaxed/simple; bh=MTFLpvqVFwD4wOUmZSXx4b0ZH4SvpKBE09cohDgGFFU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FsiUlKiAGJ5TvLj44mmrkzpGCfWbFI/rnnYEcikw7U0duwBBqbcoE4Juqa3LbAWIt4P7N/bMlEB7sMscEpDqg38qfrl/VHXCvH6AiBRQuteFTagmwA35QZm4QzwRTAoDO+RbMxc23erk4T5/hqo4c65Tj2pgxRtmg8XI1yDyr8A= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BZbRHzgP; arc=none smtp.client-ip=209.85.221.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BZbRHzgP" Received: by mail-vk1-f170.google.com with SMTP id 71dfb90a1353d-56f75445470so3406977e0c.2 for ; Wed, 22 Apr 2026 09:05:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776873905; x=1777478705; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=24ucL5O3EzfMhPg47OjudcgTvu+hLai1chIqdTg8Gs8=; b=BZbRHzgP/WAnZzspo62I5qcgLW9G2PdSkMExOt+6ndvEbBI/DFD49xfqkgX4gzy2ti oN4+ThKSzLC0+xs/Rj06mSQJjg0rit99DauF4UHdsI95knJLkaAAIKlcgMyc4K8Szggj d4BgZrjuZf3kDNN/+fqYnxCUmpEQpb7Vp3HgBvRu/aOH/nZ5lTesh85dxhUsZWMgphuB cXcK8LRqniQ3mWpKIpv8va5d16B1TjbhjD4ZgE0YGA9u3YRA5pSlC+3x41EApp7KpsEe 6JOW7fIVKy7oJ9p/wTtgjglFkdiZxE1cM1wEblhO8b6snIwd6+q5CskNgETQNh4vjqSv N1ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776873905; x=1777478705; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=24ucL5O3EzfMhPg47OjudcgTvu+hLai1chIqdTg8Gs8=; b=GAr08PD2Ob6d3g9R5loUqKX0Q9wUOwCJxnnwCt9Pcug0mE91fPQbeJlo5pF5CDoVzz YMdGDSJlCVFil38Hk/j2GdBfFwYN1caCHXp0/2rKB9NVBpVDmJRLPbdiFqZx0ART2O9o O7y3vILaCaAmPXd5pPFoi1JEUxOx+RiyytnXEFr2naeB2L70r67VUWNSNqhctUUrszho aPWyiI7BwNRoA4rOM+O2WeM7VONZraZR/kxPv/YHdwBVU+O/59VeyM70m3pLUJ9YLqQT aqiPFGuPNTX+fQSDU4cl3VwhFloESt6YPnRvwfE7lWjn9FnEM6LW00NF9/Jil1J3wzUh Q8Bg== X-Forwarded-Encrypted: i=1; AFNElJ9f74C4wkT3/CcHcliNyKgvB3MSeyBVBr1SyHX4aRchGPtkQqsBZngnSTjzdTz6p125QIJkdosvkJXzq3A=@vger.kernel.org X-Gm-Message-State: AOJu0YwYGIHWwNbD8o0gUd1EeaA8ZOvPvEvjoD9FAsyM6f4CKLwtBc0B h6rm8I/3KlSBOlO+Tf+wHnYfUMOI3wtAawDAUv2tYJ5O38RqmtFAXhIT X-Gm-Gg: AeBDieu4rq7TkPjiHt/k39i2bTDeo/NkQT/lMaB+jyHNCuD4CqpZqN1Zxe1Fh9Fk5ga w6M63W393lLt1rSIG58WfRRK/RMbVPdP9o0kyjM6MkFm3n9zXjw6CX+/Zq055ejVcGc7FO2d+Es V2UBEsRrmh9lI63nEAHcZ36wsnHwllzysE/isky1oTrkmG3gQ0jzYzUgp/yWEhHVXTeNVQlH9GV VB3tdjDasAaKrdaFQVAzjSJgIpaTkg2ih1h2SPm55jcvEjMr7JMIfvwas/2P4V9bSxHrLO/P0HO Y/E4dNNmkxhiknvtGvtEysbOWtnXXDWrNb+4sEj3VJBe3vfK52D+nrPo54xaxlJ7vYpEYcvDwHl erJZtV8XKod02vtUUNHdzLpxxLj4Ne+yzJo+aANQk3KNssI1l6mCDpSmJyXrdiqsyLKhm3XiYRz mnpX10xhaaPPW3QpsCx7/Exb/jKnVIx2tq8TZpMn/e4uxC5GyZ/uSE+FepB/ek+zrs9eHGVb8IO +rJTgflMuRlfg3+R5s1bULwkyRKwGY= X-Received: by 2002:a05:6122:4fa2:b0:56f:b2c3:d4d9 with SMTP id 71dfb90a1353d-56fb2c3daa2mr9155887e0c.14.1776873904625; Wed, 22 Apr 2026 09:05:04 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b02ac462d9sm136370786d6.7.2026.04.22.09.05.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2026 09:05:03 -0700 (PDT) From: Michael Bommarito To: Samuel Mendoza-Jonas , Paul Fertser , netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-kernel@vger.kernel.org, Michael Bommarito Subject: [PATCH net 0/6] net/ncsi: harden packet parsing against malformed BMC replies Date: Wed, 22 Apr 2026 12:03:36 -0400 Message-ID: <20260422160342.1975093-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit NC-SI treats the management controller as privileged, but the Linux packet parser still needs to reject malformed or truncated replies instead of walking past the skb or past its software filter tables. This series closes six linked parser issues in net/ncsi: - short replies accepted before response header/checksum reads - GC/GP count fields exceeding software filter limits - GMCMA address counts exceeding payload-backed addresses - OEM response parsing that trusts vendor-specific payload offsets - short AEN packets accepted before AEN header/payload reads - GP payloads not checked against the consumed MAC/VLAN table bytes The threat model here is a compromised BMC or management-channel MITM on the NC-SI link. This is not internet-reachable remote input, so I am sending it as a public [PATCH net] series with Cc: stable rather than through security@. Testing: - x86_64 defconfig with CONFIG_NET_NCSI=y and CONFIG_NCSI_OEM_CMD_GET_MAC=y: `make -C ~/src/linux-mainline O=~/src/build-ncsi-bmc-oob ARCH=x86_64 -j$(nproc) net/ncsi/` - live x86_64/KASAN QEMU guest for the GP path: guest `virtio-net` registered with NCSI, `SP -> CIS -> GC -> GP` issued over the `NCSI` generic-netlink family, and a host tap responder returning matching NC-SI frames. Without the series applied, a GP reply with mac_cnt=65 triggers `KASAN: slab-out-of-bounds in ncsi_rsp_handler_gp()`. With the series applied, the same reply is rejected with `-ERANGE` and no KASAN report. - synthetic A/B userspace harness covering the other malformed- response cases: without the series, parsing either faults or corrupts adjacent state; with the series, each case is rejected or clamped at the parser boundary. Impact / regression notes: - libclang call-graph query shows ncsi_validate_rsp_pkt() is only reached from ncsi_rcv_rsp() and ncsi_rsp_handler_dc(), so the new skb-length guard stays local to the response path. - cscope shows ncsi_aen_handler() is only reached from ncsi_rcv_rsp(), so the new AEN pulls stay local to AEN dispatch. - cscope on n_vids shows the downstream consumers are the response parser, the manage-side VLAN bitmap walkers, and ncsi-netlink's channel dump path, which is the surface this series intentionally tightens. Michael Bommarito (6): net/ncsi: validate response packet lengths against the skb net/ncsi: bound filter table state to software limits net/ncsi: validate GMCMA address counts against the payload net/ncsi: validate OEM response payloads before parsing net/ncsi: validate AEN packet lengths against the skb net/ncsi: validate GP payload lengths before parsing net/ncsi/ncsi-aen.c | 30 +++++++++--- net/ncsi/ncsi-rsp.c | 114 ++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 128 insertions(+), 16 deletions(-) -- 2.53.0