Re: [PATCH v3] net/mlx5: Fix OOB access and stack information leak in PTP event handling

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Carolina Jubran <cjubran@nvidia.com>
To: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
Cc: Richard Cochran <richardcochran@gmail.com>,
	Tariq Toukan <tariqt@nvidia.com>, Mark Bloch <mbloch@nvidia.com>,
	netdev@vger.kernel.org, linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org, Leon Romanovsky <leon@kernel.org>,
	Saeed Mahameed <saeedm@nvidia.com>
Subject: Re: [PATCH v3] net/mlx5: Fix OOB access and stack information leak in PTP event handling
Date: Sat, 11 Apr 2026 14:35:05 +0300	[thread overview]
Message-ID: <c30f21a3-5a27-43fb-957d-107775b00faf@nvidia.com> (raw)
In-Reply-To: <20260410015336.7353-1-prathameshdeshpande7@gmail.com>


On 10/04/2026 4:53, Prathamesh Deshpande wrote:
> In mlx5_pps_event(), several critical issues were identified during
> review by Sashiko:
>
> 1. The 'pin' index from the hardware event was used without bounds
>     checking to index 'pin_config' and 'pps_info->start', leading to
>     potential out-of-bounds memory access.
> 2. 'ptp_event' was not zero-initialized. Since it contains a union,
>     assigning a timestamp partially leaves the 'ts_raw' field with
>     uninitialized stack memory, which can leak kernel data or
>     corrupt time sync logic in hardpps().
> 3. A NULL 'pin_config' could be dereferenced if initialization failed.
> 4. 'clock->ptp' could be NULL if ptp_clock_register() failed.
>
> Fix these by zero-initializing the event struct, adding a bounds
> check against n_pins, and adding appropriate NULL guards.
>
> Fixes: 7c39afb394c7 ("net/mlx5: PTP code migration to driver core section")
> Suggested-by: Carolina Jubran <cjubran@nvidia.com>
> Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
> ---
> v3:
> - Fix union corruption by using a local timestamp variable [Sashiko].
> - Validate pin index against n_pins with WARN_ON_ONCE [Carolina].
> - Remove redundant pin < 0 check and cleanup TODO comment.
> v2:
> - Zero-initialize ptp_event to prevent stack information leak [Sashiko].
> - Add bounds check for hardware pin index to prevent OOB access [Sashiko].
> - Add NULL guard for pin_config to handle initialization failures [Sashiko].
> - Add NULL check for clock->ptp as originally intended.
>
>   .../net/ethernet/mellanox/mlx5/core/lib/clock.c | 17 ++++++++++++-----
>   1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
> index bd4e042077af..674dd048a6b8 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
> @@ -1164,16 +1164,22 @@ static int mlx5_pps_event(struct notifier_block *nb,
>   							       pps_nb);
>   	struct mlx5_core_dev *mdev = clock_state->mdev;
>   	struct mlx5_clock *clock = mdev->clock;
> -	struct ptp_clock_event ptp_event;
> +	struct ptp_clock_event ptp_event = {};
>   	struct mlx5_eqe *eqe = data;
>   	int pin = eqe->data.pps.pin;
>   	unsigned long flags;
>   	u64 ns;
>   
> +	if (!clock->ptp_info.pin_config)
> +		return NOTIFY_OK;
> +
> +	if (WARN_ON_ONCE(pin >= clock->ptp_info.n_pins))
> +		return NOTIFY_OK;


Sorry if my previous comment wasn't clear enough.


The firmware will never report a pin higher than n_pins, thats not the 
concern

here. if future hardware reports n_pins > 8, checking against n_pins 
would still

allow OOB access on those arrays. The check should compare against 
MAX_PIN_NUM

instead, since thats the actual hard limit of the driver's data 
structures. and if a new

device supports more than 8 pins, the WARN_ON_ONCE would let us know we need

to update the driver.


Thanks,

Carolina

next prev parent reply	other threads:[~2026-04-11 11:35 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-10  1:53 [PATCH v3] net/mlx5: Fix OOB access and stack information leak in PTP event handling Prathamesh Deshpande
2026-04-11 11:35 ` Carolina Jubran [this message]
2026-04-12  0:15   ` prathamesh deshpande

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c30f21a3-5a27-43fb-957d-107775b00faf@nvidia.com \
    --to=cjubran@nvidia.com \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=mbloch@nvidia.com \
    --cc=netdev@vger.kernel.org \
    --cc=prathameshdeshpande7@gmail.com \
    --cc=richardcochran@gmail.com \
    --cc=saeedm@nvidia.com \
    --cc=tariqt@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox