From: Jakub Kicinski <kuba@kernel.org>
To: Michael Chan <michael.chan@broadcom.com>
Cc: Junrui Luo <moonafterrain@outlook.com>,
Pavan Chebbi <pavan.chebbi@broadcom.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Shruti Parab <shruti.parab@broadcom.com>,
Hongguang Gao <hongguang.gao@broadcom.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuhao Jiang <danisjiang@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
Date: Tue, 17 Mar 2026 15:38:24 -0700 [thread overview]
Message-ID: <20260317153824.7671cfde@kernel.org> (raw)
In-Reply-To: <SYBPR01MB7881A253A1C9775D277F30E9AF42A@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Sat, 14 Mar 2026 17:41:04 +0800 Junrui Luo wrote:
> The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> bnxt_async_event_process() uses a firmware-supplied 'type' field
> directly as an index into bp->bs_trace[] without bounds validation.
>
> The 'type' field is a 16-bit value extracted from DMA-mapped completion
> ring memory that the NIC writes directly to host RAM. A malicious or
> compromised NIC can supply any value from 0 to 65535, causing an
> out-of-bounds access into kernel heap memory.
>
> The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
> and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
> kernel memory corruption or a crash.
>
> Fix by adding a bounds check and defining BNXT_TRACE_MAX as
> DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
> defined firmware trace types (0x0 through 0xc).
Hi Micheal, looks like it now does what you asked in v2?
next prev parent reply other threads:[~2026-03-17 22:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-14 9:41 [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler Junrui Luo
2026-03-17 22:38 ` Jakub Kicinski [this message]
2026-03-17 22:52 ` Michael Chan
2026-03-17 23:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260317153824.7671cfde@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=danisjiang@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hongguang.gao@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.chan@broadcom.com \
--cc=moonafterrain@outlook.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pavan.chebbi@broadcom.com \
--cc=shruti.parab@broadcom.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox