* [PATCH net] pds_core: fix potential stack info leak in firmware version reporting
@ 2026-05-15 21:29 Nikhil P. Rao
2026-05-20 2:16 ` Jakub Kicinski
0 siblings, 1 reply; 2+ messages in thread
From: Nikhil P. Rao @ 2026-05-15 21:29 UTC (permalink / raw)
To: netdev
Cc: brett.creeley, eric.joyner, andrew+netdev, davem, edumazet, kuba,
pabeni
The fw_version field in pds_core_fw_name_info is a fixed 32-byte array
that may not be null-terminated if firmware writes exactly 32
characters. When passed to devlink_info_version_stored_put(), this
could cause a read beyond the array boundary, potentially leaking
stack contents to userspace or causing a crash if the read crosses
into an unmapped page.
Null-terminate the firmware version string in place before passing it
to the devlink API.
Fixes: 45d76f492938 ("pds_core: set up device and adminq")
Assisted-by: Claude:claude-opus-4
Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com>
---
drivers/net/ethernet/amd/pds_core/devlink.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/pds_core/devlink.c b/drivers/net/ethernet/amd/pds_core/devlink.c
index b576be626a29..3f0e56b951bf 100644
--- a/drivers/net/ethernet/amd/pds_core/devlink.c
+++ b/drivers/net/ethernet/amd/pds_core/devlink.c
@@ -122,12 +122,14 @@ int pdsc_dl_info_get(struct devlink *dl, struct devlink_info_req *req,
listlen = min(fw_list.num_fw_slots, ARRAY_SIZE(fw_list.fw_names));
for (i = 0; i < listlen; i++) {
+ char *fw_ver = fw_list.fw_names[i].fw_version;
+
if (i < ARRAY_SIZE(fw_slotnames))
strscpy(buf, fw_slotnames[i], sizeof(buf));
else
snprintf(buf, sizeof(buf), "fw.slot_%d", i);
- err = devlink_info_version_stored_put(req, buf,
- fw_list.fw_names[i].fw_version);
+ fw_ver[sizeof(fw_list.fw_names[i].fw_version) - 1] = '\0';
+ err = devlink_info_version_stored_put(req, buf, fw_ver);
if (err)
return err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] pds_core: fix potential stack info leak in firmware version reporting
2026-05-15 21:29 [PATCH net] pds_core: fix potential stack info leak in firmware version reporting Nikhil P. Rao
@ 2026-05-20 2:16 ` Jakub Kicinski
0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2026-05-20 2:16 UTC (permalink / raw)
To: Nikhil P. Rao
Cc: netdev, brett.creeley, eric.joyner, andrew+netdev, davem,
edumazet, pabeni
On Fri, 15 May 2026 21:29:06 +0000 Nikhil P. Rao wrote:
> The fw_version field in pds_core_fw_name_info is a fixed 32-byte array
> that may not be null-terminated if firmware writes exactly 32
> characters. When passed to devlink_info_version_stored_put(), this
> could cause a read beyond the array boundary, potentially leaking
> stack contents to userspace or causing a crash if the read crosses
> into an unmapped page.
>
> Null-terminate the firmware version string in place before passing it
> to the devlink API.
This loses the last, presumably meaningful character of the FW version.
Are you saying that device should never send names this long and this
is defensive? Otherwise we could trivially memcpy() the name into a
buffer on the stack that has one extra byte.
Please fix or clarify the commit msg.
--
pw-bot: cr
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-20 2:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 21:29 [PATCH net] pds_core: fix potential stack info leak in firmware version reporting Nikhil P. Rao
2026-05-20 2:16 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox