[PATCH] ibmasm: validate MFA offset against BAR0 size

[PATCH] ibmasm: validate MFA offset against BAR0 size

[Tyllis Xu]

ibmasm_interrupt_handler() and ibmasm_send_i2o_message() dereference an
MMIO pointer derived from a hardware-supplied MFA offset without bounds
checking, allowing out-of-bounds MMIO reads and writes.

A compromised service processor can supply a crafted MFA value whose offset
exceeds the size of the mapped BAR0 region. The driver passes this
through valid_mfa(), which only rejects the sentinel 0xFFFFFFFF, then
immediately uses it to compute an MMIO pointer in interrupt context.
A malicious message_size field can additionally drive
ibmasm_receive_message() to read further beyond the end of the BAR.

The root cause is that get_i2o_message() adds the hardware-supplied
GET_MFA_ADDR(mfa) offset to base_address with no upper bound check, and
incoming_data_size() trusts the hardware message_size field without
clamping it to the remaining mapped space.

Fix by storing the BAR0 length at probe time and rejecting any MFA whose
computed offset would place the i2o_message structure outside the mapped
region. Also clamp the data sizes passed to ibmasm_receive_message() and
the outbound memcpy_toio() to the remaining mapped space so that a
crafted message_size or oversized dot command cannot drive reads or
writes beyond the end of the BAR.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: ychen@northwestern.edu
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
---
 drivers/misc/ibmasm/ibmasm.h   |  1 +
 drivers/misc/ibmasm/lowlevel.c | 33 +++++++++++++++++++++++++++------
 drivers/misc/ibmasm/module.c   |  1 +
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/drivers/misc/ibmasm/ibmasm.h b/drivers/misc/ibmasm/ibmasm.h
index XXXXXXX..XXXXXXX 100644
--- a/drivers/misc/ibmasm/ibmasm.h
+++ b/drivers/misc/ibmasm/ibmasm.h
@@ -139,6 +139,7 @@ struct service_processor {
 	struct list_head	node;
 	spinlock_t		lock;
 	void __iomem		*base_address;
+	resource_size_t		bar0_size;
 	unsigned int		irq;
 	struct command		*current_command;
 	struct command		*heartbeat;
diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/misc/ibmasm/module.c
+++ b/drivers/misc/ibmasm/module.c
@@ -96,6 +96,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
 	if (!sp->base_address) {
 		dev_err(sp->dev, "Failed to ioremap pci memory\n");
 		result =  -ENODEV;
 		goto error_ioremap;
 	}
+	sp->bar0_size = pci_resource_len(pdev, 0);

 	result = request_irq(sp->irq, ibmasm_interrupt_handler, IRQF_SHARED,
diff --git a/drivers/misc/ibmasm/lowlevel.c b/drivers/misc/ibmasm/lowlevel.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/misc/ibmasm/lowlevel.c
+++ b/drivers/misc/ibmasm/lowlevel.c
@@ -26,9 +26,17 @@ int ibmasm_send_i2o_message(struct service_processor *sp)
 	mfa = get_mfa_inbound(sp->base_address);
 	if (!mfa)
 		return 1;
+	if (GET_MFA_ADDR(mfa) + sizeof(struct i2o_message) > sp->bar0_size) {
+		dev_err(sp->dev, "ignoring out-of-range MFA 0x%08x\n", mfa);
+		return 1;
+	}

 	command_size = get_dot_command_size(command->buffer);
+	command_size = min_t(unsigned int, command_size,
+			     (unsigned int)(sp->bar0_size - GET_MFA_ADDR(mfa) -
+					    sizeof(struct i2o_header)));
 	header.message_size = outgoing_message_size(command_size);
@@ -60,12 +68,25 @@ irqreturn_t ibmasm_interrupt_handler(int irq, void * dev_id)

 	mfa = get_mfa_outbound(base_address);
 	if (valid_mfa(mfa)) {
-		struct i2o_message *msg = get_i2o_message(base_address, mfa);
-		ibmasm_receive_message(sp, &msg->data, incoming_data_size(msg));
-	} else
-		dbg("didn't get a valid MFA\n");
+		if (GET_MFA_ADDR(mfa) + sizeof(struct i2o_message) > sp->bar0_size) {
+			dev_err(sp->dev,
+				"ignoring out-of-range MFA 0x%08x\n", mfa);
+		} else {
+			struct i2o_message *msg = get_i2o_message(base_address, mfa);
+			u32 max_data = (u32)(sp->bar0_size - GET_MFA_ADDR(mfa) -
+					     sizeof(struct i2o_header));
+
+			ibmasm_receive_message(sp, &msg->data,
+					       min_t(u32, incoming_data_size(msg),
+						     max_data));
+		}
+	} else {
+		dbg("didn't get a valid MFA\n");
+	}

 	set_mfa_outbound(base_address, mfa);