From: Jacob Keller <jacob.e.keller@intel.com>
To: Simon Horman <horms@kernel.org>,
Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Cc: <intel-wired-lan@lists.osuosl.org>, <anthony.l.nguyen@intel.com>,
<netdev@vger.kernel.org>,
Paul Greenwalt <paul.greenwalt@intel.com>
Subject: Re: [Intel-wired-lan] [PATCH iwl-net v2 2/6] ixgbe: add bounds check for debugfs register access
Date: Mon, 13 Apr 2026 18:00:28 -0700 [thread overview]
Message-ID: <dda1f0f3-f57b-418a-93e6-2cdaa1d2ef35@intel.com> (raw)
In-Reply-To: <20260413103050.GL469338@kernel.org>
On 4/13/2026 3:30 AM, Simon Horman wrote:
> On Wed, Apr 08, 2026 at 03:11:50PM +0200, Aleksandr Loktionov wrote:
>> From: Paul Greenwalt <paul.greenwalt@intel.com>
>>
>> Prevent out-of-bounds MMIO accesses triggered through user-controlled
>> register offsets. IXGBE_HFDR (0x15FE8) is the highest valid MMIO
>> register in the ixgbe register map; any offset beyond it would address
>> unmapped memory.
>>
>> Add a defense-in-depth check at two levels:
>>
>> 1. ixgbe_read_reg() -- the noinline register read accessor. A
>> WARN_ON_ONCE() guard here catches any future code path (including
>> ioctl extensions) that might inadvertently pass an out-of-range
>> offset without relying on higher layers to catch it first.
>> ixgbe_write_reg() is a static inline called from the TX/RX hot path;
>> adding WARN_ON_ONCE there would inline the check at every call site,
>> so only the read path gets this guard.
>>
>> 2. ixgbe_dbg_reg_ops_write() -- the debugfs 'reg_ops' interface is the
>> only current path where a raw, user-supplied offset enters the driver.
>> Gating it before invoking the register accessors provides a clean,
>> user-visible failure (silent ignore with no kernel splat) for
>> deliberately malformed debugfs writes.
>>
>> Add a reg <= IXGBE_HFDR guard to both the read and write paths in
>> ixgbe_dbg_reg_ops_write(), and a WARN_ON_ONCE + early-return guard to
>> ixgbe_read_reg().
>>
>> Fixes: 91fbd8f081e2 ("ixgbe: added reg_ops file to debugfs")
>> Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
>> ---
>> v1 -> v2:
>> - Add Fixes: tag; reroute from iwl-next to iwl-net (security-relevant
>> hardening for user-controllable out-of-bounds MMIO).
>
> Thanks for the update.
>
> And sorry for not thinking to ask this earlier: this patch
> addresses possible overruns of the mapped address space if the
> supplied value for reg is too large. But do we also need a
> guard against underrun if the value for reg is too small?
>
I don't think so. This is bounds checking a register offset which is an
unsigned 32-bit value and begins at 0, so the map goes from 0 to
IXGBE_HFDR. Since the value is unsigned, if it does underflow somehow it
would then get caught by the check for IXGBE_HFDR right?
Thanks,
Jake
> ...
next prev parent reply other threads:[~2026-04-14 1:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 13:11 [PATCH iwl-net v2 0/6] ixgbe: six bug fixes Aleksandr Loktionov
2026-04-08 13:11 ` [PATCH iwl-net v2 1/6] ixgbe: fix SWFW semaphore timeout for X550 family Aleksandr Loktionov
2026-04-13 10:52 ` Simon Horman
2026-04-14 0:56 ` [Intel-wired-lan] " Jacob Keller
2026-04-08 13:11 ` [PATCH iwl-net v2 2/6] ixgbe: add bounds check for debugfs register access Aleksandr Loktionov
2026-04-13 10:30 ` Simon Horman
2026-04-14 1:00 ` Jacob Keller [this message]
2026-04-14 17:16 ` [Intel-wired-lan] " Simon Horman
2026-04-08 13:11 ` [PATCH iwl-net v2 3/6] ixgbe: call ixgbe_setup_fc() before fc_enable() after NVM update Aleksandr Loktionov
2026-04-13 10:51 ` Simon Horman
2026-04-08 13:11 ` [PATCH iwl-net v2 4/6] ixgbe: fix cls_u32 nexthdr path returning success when no entry installed Aleksandr Loktionov
2026-04-13 10:54 ` Simon Horman
2026-04-08 13:11 ` [PATCH iwl-net v2 5/6] ixgbe: fix ITR value overflow in adaptive interrupt throttling Aleksandr Loktionov
2026-04-13 13:39 ` Simon Horman
2026-04-08 13:11 ` [PATCH iwl-net v2 6/6] ixgbe: fix integer overflow and wrong bit position in ixgbe_validate_rtr() Aleksandr Loktionov
2026-04-13 13:43 ` Simon Horman
2026-04-13 14:02 ` Simon Horman
2026-04-13 14:03 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dda1f0f3-f57b-418a-93e6-2cdaa1d2ef35@intel.com \
--to=jacob.e.keller@intel.com \
--cc=aleksandr.loktionov@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=horms@kernel.org \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=netdev@vger.kernel.org \
--cc=paul.greenwalt@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox