[PATCH iwl-net] ice: reject out-of-range ptype in ice_parser_profile_init

[PATCH iwl-net] ice: reject out-of-range ptype in ice_parser_profile_init

[Aleksandr Loktionov]

set_bit(rslt->ptype, prof->ptypes) operates on a DECLARE_BITMAP of
ICE_FLOW_PTYPE_MAX (1024) bits. Nothing prevents a malicious VF from
providing ptype >= 1024 through VIRTCHNL, resulting in a write past
the end of the bitmap and a kernel page fault.

Reproduced with a custom kernel module injecting a crafted
VIRTCHNL_OP_ADD_RSS_CFG on E810-C QSFP (8086:1592),
FW 4.91 0x800214af 1.3909.0, ICE COMMS DDP 1.3.53.0,
kernel 7.1.0-rc1.

crash_parser: ice_parser_profile_init @ ffffffffc0d61b60
crash_parser: setting ptype=0xffff (max valid=1023)
crash_parser: calling ice_parser_profile_init -- expect OOB crash!
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
Oops: Oops: 0002 [#1] SMP NOPTI
CPU: 56 UID: 0 PID: 165011 Comm: insmod Kdump: loaded Tainted: G S U OE 7.1.0-rc1 #1
Hardware name: Intel Corporation S2600BPB/S2600BPB
RIP: 0010:ice_parser_profile_init+0x2d/0x1d0 [ice]
Call Trace:
 <TASK>
 ? __pfx_ice_parser_profile_init+0x10/0x10 [ice]
 crash_init+0x127/0xff0 [crash_parser]
 do_one_initcall+0x45/0x310
 do_init_module+0x64/0x270
 init_module_from_file+0xcc/0xf0
 idempotent_init_module+0x17b/0x280
 __x64_sys_finit_module+0x6e/0xe0

Bail out early with -EINVAL when ptype is out of range.

Fixes: e312b3a1e209 ("ice: add API for parser profile initialization")
Cc: stable@vger.kernel.org
Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
---
 drivers/net/ethernet/intel/ice/ice_parser.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/intel/ice/ice_parser.c b/drivers/net/ethernet/intel/ice/ice_parser.c
index f8e6963..3ede4c1 100644
--- a/drivers/net/ethernet/intel/ice/ice_parser.c
+++ b/drivers/net/ethernet/intel/ice/ice_parser.c
@@ -2368,6 +2368,9 @@ int ice_parser_profile_init(struct ice_parser_result *rslt,
 	u16 proto_off = 0;
 	u16 off;
 
+	if (rslt->ptype >= ICE_FLOW_PTYPE_MAX)
+		return -EINVAL;
+
 	memset(prof, 0, sizeof(*prof));
 	set_bit(rslt->ptype, prof->ptypes);
 	if (blk == ICE_BLK_SW) {
-- 
2.52.0

Re: [Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-range ptype in ice_parser_profile_init

[Paul Menzel]

Dear Aleksandr,


Thank you for your patch.

Am 30.04.26 um 16:21 schrieb Aleksandr Loktionov:
> set_bit(rslt->ptype, prof->ptypes) operates on a DECLARE_BITMAP of
> ICE_FLOW_PTYPE_MAX (1024) bits. Nothing prevents a malicious VF from
> providing ptype >= 1024 through VIRTCHNL, resulting in a write past
> the end of the bitmap and a kernel page fault.
> 
> Reproduced with a custom kernel module injecting a crafted
> VIRTCHNL_OP_ADD_RSS_CFG on E810-C QSFP (8086:1592),
> FW 4.91 0x800214af 1.3909.0, ICE COMMS DDP 1.3.53.0,
> kernel 7.1.0-rc1.

7.1-rc1 (no need to resend)

> crash_parser: ice_parser_profile_init @ ffffffffc0d61b60
> crash_parser: setting ptype=0xffff (max valid=1023)
> crash_parser: calling ice_parser_profile_init -- expect OOB crash!
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> Oops: Oops: 0002 [#1] SMP NOPTI
> CPU: 56 UID: 0 PID: 165011 Comm: insmod Kdump: loaded Tainted: G S U OE 7.1.0-rc1 #1
> Hardware name: Intel Corporation S2600BPB/S2600BPB
> RIP: 0010:ice_parser_profile_init+0x2d/0x1d0 [ice]
> Call Trace:
>   <TASK>
>   ? __pfx_ice_parser_profile_init+0x10/0x10 [ice]
>   crash_init+0x127/0xff0 [crash_parser]
>   do_one_initcall+0x45/0x310
>   do_init_module+0x64/0x270
>   init_module_from_file+0xcc/0xf0
>   idempotent_init_module+0x17b/0x280
>   __x64_sys_finit_module+0x6e/0xe0
> 
> Bail out early with -EINVAL when ptype is out of range.

Is a warning logged now?

> Fixes: e312b3a1e209 ("ice: add API for parser profile initialization")
> Cc: stable@vger.kernel.org
> Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> ---
>   drivers/net/ethernet/intel/ice/ice_parser.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_parser.c b/drivers/net/ethernet/intel/ice/ice_parser.c
> index f8e6963..3ede4c1 100644
> --- a/drivers/net/ethernet/intel/ice/ice_parser.c
> +++ b/drivers/net/ethernet/intel/ice/ice_parser.c
> @@ -2368,6 +2368,9 @@ int ice_parser_profile_init(struct ice_parser_result *rslt,
>   	u16 proto_off = 0;
>   	u16 off;
>   
> +	if (rslt->ptype >= ICE_FLOW_PTYPE_MAX)
> +		return -EINVAL;
> +
>   	memset(prof, 0, sizeof(*prof));
>   	set_bit(rslt->ptype, prof->ptypes);
>   	if (blk == ICE_BLK_SW) {


Kind regards,

Paul

RE: [Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-range ptype in ice_parser_profile_init

[Loktionov, Aleksandr]

> -----Original Message-----
> From: Paul Menzel <pmenzel@molgen.mpg.de>
> Sent: Thursday, April 30, 2026 7:21 PM
> To: Loktionov, Aleksandr <aleksandr.loktionov@intel.com>
> Cc: intel-wired-lan@lists.osuosl.org; Nguyen, Anthony L
> <anthony.l.nguyen@intel.com>; netdev@vger.kernel.org
> Subject: Re: [Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-
> range ptype in ice_parser_profile_init
> 
> Dear Aleksandr,
> 
> 
> Thank you for your patch.
> 
> Am 30.04.26 um 16:21 schrieb Aleksandr Loktionov:
> > set_bit(rslt->ptype, prof->ptypes) operates on a DECLARE_BITMAP of
> > ICE_FLOW_PTYPE_MAX (1024) bits. Nothing prevents a malicious VF from
> > providing ptype >= 1024 through VIRTCHNL, resulting in a write past
> > the end of the bitmap and a kernel page fault.
> >
> > Reproduced with a custom kernel module injecting a crafted
> > VIRTCHNL_OP_ADD_RSS_CFG on E810-C QSFP (8086:1592), FW 4.91
> 0x800214af
> > 1.3909.0, ICE COMMS DDP 1.3.53.0, kernel 7.1.0-rc1.
> 
> 7.1-rc1 (no need to resend)
> 
> > crash_parser: ice_parser_profile_init @ ffffffffc0d61b60
> > crash_parser: setting ptype=0xffff (max valid=1023)
> > crash_parser: calling ice_parser_profile_init -- expect OOB crash!
> > BUG: kernel NULL pointer dereference, address: 0000000000000000
> > #PF: supervisor write access in kernel mode
> > #PF: error_code(0x0002) - not-present page
> > Oops: Oops: 0002 [#1] SMP NOPTI
> > CPU: 56 UID: 0 PID: 165011 Comm: insmod Kdump: loaded Tainted: G S U
> > OE 7.1.0-rc1 #1 Hardware name: Intel Corporation S2600BPB/S2600BPB
> > RIP: 0010:ice_parser_profile_init+0x2d/0x1d0 [ice] Call Trace:
> >   <TASK>
> >   ? __pfx_ice_parser_profile_init+0x10/0x10 [ice]
> >   crash_init+0x127/0xff0 [crash_parser]
> >   do_one_initcall+0x45/0x310
> >   do_init_module+0x64/0x270
> >   init_module_from_file+0xcc/0xf0
> >   idempotent_init_module+0x17b/0x280
> >   __x64_sys_finit_module+0x6e/0xe0
> >
> > Bail out early with -EINVAL when ptype is out of range.
> 
> Is a warning logged now?
This error is potentially possible to generate from VM via modified iavf driver.
I think it's not a good idea to let user other than admin to spam host dmesg.
I couldn’t find a good example of such logging for other AQ packets types.
Do you have a good reason?

Thank you

> 
> > Fixes: e312b3a1e209 ("ice: add API for parser profile
> initialization")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
> > ---
> >   drivers/net/ethernet/intel/ice/ice_parser.c | 3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/net/ethernet/intel/ice/ice_parser.c
> > b/drivers/net/ethernet/intel/ice/ice_parser.c
> > index f8e6963..3ede4c1 100644
> > --- a/drivers/net/ethernet/intel/ice/ice_parser.c
> > +++ b/drivers/net/ethernet/intel/ice/ice_parser.c
> > @@ -2368,6 +2368,9 @@ int ice_parser_profile_init(struct
> ice_parser_result *rslt,
> >   	u16 proto_off = 0;
> >   	u16 off;
> >
> > +	if (rslt->ptype >= ICE_FLOW_PTYPE_MAX)
> > +		return -EINVAL;
> > +
> >   	memset(prof, 0, sizeof(*prof));
> >   	set_bit(rslt->ptype, prof->ptypes);
> >   	if (blk == ICE_BLK_SW) {
> 
> 
> Kind regards,
> 
> Paul