[PATCH net v3] bnxt_en: fix OOB access in DBG_BUF

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
@ 2026-03-14  9:41 Junrui Luo
  2026-03-17 22:38 ` Jakub Kicinski
  2026-03-17 23:10 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 4+ messages in thread
From: Junrui Luo @ 2026-03-14  9:41 UTC (permalink / raw)
  To: Michael Chan, Pavan Chebbi, Andrew Lunn, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Shruti Parab,
	Hongguang Gao
  Cc: netdev, linux-kernel, Yuhao Jiang, stable, Junrui Luo

The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
bnxt_async_event_process() uses a firmware-supplied 'type' field
directly as an index into bp->bs_trace[] without bounds validation.

The 'type' field is a 16-bit value extracted from DMA-mapped completion
ring memory that the NIC writes directly to host RAM. A malicious or
compromised NIC can supply any value from 0 to 65535, causing an
out-of-bounds access into kernel heap memory.

The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
kernel memory corruption or a crash.

Fix by adding a bounds check and defining BNXT_TRACE_MAX as
DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
defined firmware trace types (0x0 through 0xc).

Fixes: 84fcd9449fd7 ("bnxt_en: Manage the FW trace context memory")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
Changes in v3:
- Define BNXT_TRACE_MAX using DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1
  to clarify the supported trace type range, as suggested by Michael Chan.
- Link to v2: https://lore.kernel.org/all/SYBPR01MB78817D5AED8035071888D7EDAF45A@SYBPR01MB7881.ausprd01.prod.outlook.com/
Changes in v2:
- Use ARRAY_SIZE(bp->bs_trace) instead of BNXT_TRACE_MAX for the
  bounds check, as suggested by Andrew Lunn.
- Link to v1: https://lore.kernel.org/all/SYBPR01MB7881338BC956C39A9848EE86AF45A@SYBPR01MB7881.ausprd01.prod.outlook.com/
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++
 drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index c426a41c3663..0751c0e4581a 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -2929,6 +2929,8 @@ static int bnxt_async_event_process(struct bnxt *bp,
 		u16 type = (u16)BNXT_EVENT_BUF_PRODUCER_TYPE(data1);
 		u32 offset =  BNXT_EVENT_BUF_PRODUCER_OFFSET(data2);
 
+		if (type >= ARRAY_SIZE(bp->bs_trace))
+			goto async_event_process_exit;
 		bnxt_bs_trace_check_wrap(&bp->bs_trace[type], offset);
 		goto async_event_process_exit;
 	}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 9a41b9e0423c..a97d651130df 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -2146,7 +2146,7 @@ enum board_idx {
 };
 
 #define BNXT_TRACE_BUF_MAGIC_BYTE ((u8)0xbc)
-#define BNXT_TRACE_MAX 11
+#define BNXT_TRACE_MAX (DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1)
 
 struct bnxt_bs_trace_info {
 	u8 *magic_byte;

---
base-commit: 0257f64bdac7fdca30fa3cae0df8b9ecbec7733a
change-id: 20260313-fixes-e1f4d1aafb1e

Best regards,
-- 
Junrui Luo <moonafterrain@outlook.com>


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
  2026-03-14  9:41 [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler Junrui Luo
@ 2026-03-17 22:38 ` Jakub Kicinski
  2026-03-17 22:52   ` Michael Chan
  2026-03-17 23:10 ` patchwork-bot+netdevbpf
  1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2026-03-17 22:38 UTC (permalink / raw)
  To: Michael Chan
  Cc: Junrui Luo, Pavan Chebbi, Andrew Lunn, David S. Miller,
	Eric Dumazet, Paolo Abeni, Shruti Parab, Hongguang Gao, netdev,
	linux-kernel, Yuhao Jiang, stable

On Sat, 14 Mar 2026 17:41:04 +0800 Junrui Luo wrote:
> The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> bnxt_async_event_process() uses a firmware-supplied 'type' field
> directly as an index into bp->bs_trace[] without bounds validation.
> 
> The 'type' field is a 16-bit value extracted from DMA-mapped completion
> ring memory that the NIC writes directly to host RAM. A malicious or
> compromised NIC can supply any value from 0 to 65535, causing an
> out-of-bounds access into kernel heap memory.
> 
> The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
> and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
> kernel memory corruption or a crash.
> 
> Fix by adding a bounds check and defining BNXT_TRACE_MAX as
> DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
> defined firmware trace types (0x0 through 0xc).

Hi Micheal, looks like it now does what you asked in v2? 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
  2026-03-17 22:38 ` Jakub Kicinski
@ 2026-03-17 22:52   ` Michael Chan
  0 siblings, 0 replies; 4+ messages in thread
From: Michael Chan @ 2026-03-17 22:52 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Junrui Luo, Pavan Chebbi, Andrew Lunn, David S. Miller,
	Eric Dumazet, Paolo Abeni, Shruti Parab, Hongguang Gao, netdev,
	linux-kernel, Yuhao Jiang, stable

[-- Attachment #1: Type: text/plain, Size: 1245 bytes --]

On Tue, Mar 17, 2026 at 3:38 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Sat, 14 Mar 2026 17:41:04 +0800 Junrui Luo wrote:
> > The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> > bnxt_async_event_process() uses a firmware-supplied 'type' field
> > directly as an index into bp->bs_trace[] without bounds validation.
> >
> > The 'type' field is a 16-bit value extracted from DMA-mapped completion
> > ring memory that the NIC writes directly to host RAM. A malicious or
> > compromised NIC can supply any value from 0 to 65535, causing an
> > out-of-bounds access into kernel heap memory.
> >
> > The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
> > and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
> > kernel memory corruption or a crash.
> >
> > Fix by adding a bounds check and defining BNXT_TRACE_MAX as
> > DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
> > defined firmware trace types (0x0 through 0xc).
>
> Hi Micheal, looks like it now does what you asked in v2?

Yes it does.  Somehow I did not receive v3 from Junrui, but I checked
lore and v3 looks good.  Thanks.

Reviewed-by: Michael Chan <michael.chan@broadcom.com>

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5469 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
  2026-03-14  9:41 [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler Junrui Luo
  2026-03-17 22:38 ` Jakub Kicinski
@ 2026-03-17 23:10 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-03-17 23:10 UTC (permalink / raw)
  To: Junrui Luo
  Cc: michael.chan, pavan.chebbi, andrew+netdev, davem, edumazet, kuba,
	pabeni, shruti.parab, hongguang.gao, netdev, linux-kernel,
	danisjiang, stable

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Sat, 14 Mar 2026 17:41:04 +0800 you wrote:
> The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> bnxt_async_event_process() uses a firmware-supplied 'type' field
> directly as an index into bp->bs_trace[] without bounds validation.
> 
> The 'type' field is a 16-bit value extracted from DMA-mapped completion
> ring memory that the NIC writes directly to host RAM. A malicious or
> compromised NIC can supply any value from 0 to 65535, causing an
> out-of-bounds access into kernel heap memory.
> 
> [...]

Here is the summary with links:
  - [net,v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
    https://git.kernel.org/netdev/net/c/64dcbde7f8f8

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-03-17 23:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-14  9:41 [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler Junrui Luo
2026-03-17 22:38 ` Jakub Kicinski
2026-03-17 22:52   ` Michael Chan
2026-03-17 23:10 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox