* [PATCH] ibmasm: validate MFA offset against BAR0 size
@ 2026-03-08 6:04 Tyllis Xu
2026-04-02 14:30 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Tyllis Xu @ 2026-03-08 6:04 UTC (permalink / raw)
To: arnd, gregkh; +Cc: linux-kernel, stable, ychen, danisjiang, Tyllis Xu
ibmasm_interrupt_handler() and ibmasm_send_i2o_message() dereference an
MMIO pointer derived from a hardware-supplied MFA offset without bounds
checking, allowing out-of-bounds MMIO reads and writes.
A compromised service processor can supply a crafted MFA value whose offset
exceeds the size of the mapped BAR0 region. The driver passes this
through valid_mfa(), which only rejects the sentinel 0xFFFFFFFF, then
immediately uses it to compute an MMIO pointer in interrupt context.
A malicious message_size field can additionally drive
ibmasm_receive_message() to read further beyond the end of the BAR.
The root cause is that get_i2o_message() adds the hardware-supplied
GET_MFA_ADDR(mfa) offset to base_address with no upper bound check, and
incoming_data_size() trusts the hardware message_size field without
clamping it to the remaining mapped space.
Fix by storing the BAR0 length at probe time and rejecting any MFA whose
computed offset would place the i2o_message structure outside the mapped
region. Also clamp the data sizes passed to ibmasm_receive_message() and
the outbound memcpy_toio() to the remaining mapped space so that a
crafted message_size or oversized dot command cannot drive reads or
writes beyond the end of the BAR.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: ychen@northwestern.edu
Cc: stable@vger.kernel.org
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
---
drivers/misc/ibmasm/ibmasm.h | 1 +
drivers/misc/ibmasm/lowlevel.c | 33 +++++++++++++++++++++++++++------
drivers/misc/ibmasm/module.c | 1 +
3 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/drivers/misc/ibmasm/ibmasm.h b/drivers/misc/ibmasm/ibmasm.h
index XXXXXXX..XXXXXXX 100644
--- a/drivers/misc/ibmasm/ibmasm.h
+++ b/drivers/misc/ibmasm/ibmasm.h
@@ -139,6 +139,7 @@ struct service_processor {
struct list_head node;
spinlock_t lock;
void __iomem *base_address;
+ resource_size_t bar0_size;
unsigned int irq;
struct command *current_command;
struct command *heartbeat;
diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/misc/ibmasm/module.c
+++ b/drivers/misc/ibmasm/module.c
@@ -96,6 +96,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
if (!sp->base_address) {
dev_err(sp->dev, "Failed to ioremap pci memory\n");
result = -ENODEV;
goto error_ioremap;
}
+ sp->bar0_size = pci_resource_len(pdev, 0);
result = request_irq(sp->irq, ibmasm_interrupt_handler, IRQF_SHARED,
diff --git a/drivers/misc/ibmasm/lowlevel.c b/drivers/misc/ibmasm/lowlevel.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/misc/ibmasm/lowlevel.c
+++ b/drivers/misc/ibmasm/lowlevel.c
@@ -26,9 +26,17 @@ int ibmasm_send_i2o_message(struct service_processor *sp)
mfa = get_mfa_inbound(sp->base_address);
if (!mfa)
return 1;
+ if (GET_MFA_ADDR(mfa) + sizeof(struct i2o_message) > sp->bar0_size) {
+ dev_err(sp->dev, "ignoring out-of-range MFA 0x%08x\n", mfa);
+ return 1;
+ }
command_size = get_dot_command_size(command->buffer);
+ command_size = min_t(unsigned int, command_size,
+ (unsigned int)(sp->bar0_size - GET_MFA_ADDR(mfa) -
+ sizeof(struct i2o_header)));
header.message_size = outgoing_message_size(command_size);
@@ -60,12 +68,25 @@ irqreturn_t ibmasm_interrupt_handler(int irq, void * dev_id)
mfa = get_mfa_outbound(base_address);
if (valid_mfa(mfa)) {
- struct i2o_message *msg = get_i2o_message(base_address, mfa);
- ibmasm_receive_message(sp, &msg->data, incoming_data_size(msg));
- } else
- dbg("didn't get a valid MFA\n");
+ if (GET_MFA_ADDR(mfa) + sizeof(struct i2o_message) > sp->bar0_size) {
+ dev_err(sp->dev,
+ "ignoring out-of-range MFA 0x%08x\n", mfa);
+ } else {
+ struct i2o_message *msg = get_i2o_message(base_address, mfa);
+ u32 max_data = (u32)(sp->bar0_size - GET_MFA_ADDR(mfa) -
+ sizeof(struct i2o_header));
+
+ ibmasm_receive_message(sp, &msg->data,
+ min_t(u32, incoming_data_size(msg),
+ max_data));
+ }
+ } else {
+ dbg("didn't get a valid MFA\n");
+ }
set_mfa_outbound(base_address, mfa);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] ibmasm: validate MFA offset against BAR0 size
2026-03-08 6:04 [PATCH] ibmasm: validate MFA offset against BAR0 size Tyllis Xu
@ 2026-04-02 14:30 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-04-02 14:30 UTC (permalink / raw)
To: Tyllis Xu; +Cc: arnd, linux-kernel, stable, ychen, danisjiang
On Sun, Mar 08, 2026 at 12:04:10AM -0600, Tyllis Xu wrote:
> ibmasm_interrupt_handler() and ibmasm_send_i2o_message() dereference an
> MMIO pointer derived from a hardware-supplied MFA offset without bounds
> checking, allowing out-of-bounds MMIO reads and writes.
>
> A compromised service processor can supply a crafted MFA value whose offset
> exceeds the size of the mapped BAR0 region. The driver passes this
> through valid_mfa(), which only rejects the sentinel 0xFFFFFFFF, then
> immediately uses it to compute an MMIO pointer in interrupt context.
> A malicious message_size field can additionally drive
> ibmasm_receive_message() to read further beyond the end of the BAR.
>
> The root cause is that get_i2o_message() adds the hardware-supplied
> GET_MFA_ADDR(mfa) offset to base_address with no upper bound check, and
> incoming_data_size() trusts the hardware message_size field without
> clamping it to the remaining mapped space.
>
> Fix by storing the BAR0 length at probe time and rejecting any MFA whose
> computed offset would place the i2o_message structure outside the mapped
> region. Also clamp the data sizes passed to ibmasm_receive_message() and
> the outbound memcpy_toio() to the remaining mapped space so that a
> crafted message_size or oversized dot command cannot drive reads or
> writes beyond the end of the BAR.
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: ychen@northwestern.edu
> Cc: stable@vger.kernel.org
> Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
> ---
> drivers/misc/ibmasm/ibmasm.h | 1 +
> drivers/misc/ibmasm/lowlevel.c | 33 +++++++++++++++++++++++++++------
> drivers/misc/ibmasm/module.c | 1 +
> 3 files changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/misc/ibmasm/ibmasm.h b/drivers/misc/ibmasm/ibmasm.h
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/misc/ibmasm/ibmasm.h
> +++ b/drivers/misc/ibmasm/ibmasm.h
> @@ -139,6 +139,7 @@ struct service_processor {
> struct list_head node;
> spinlock_t lock;
> void __iomem *base_address;
> + resource_size_t bar0_size;
> unsigned int irq;
> struct command *current_command;
> struct command *heartbeat;
> diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/misc/ibmasm/module.c
> +++ b/drivers/misc/ibmasm/module.c
> @@ -96,6 +96,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
> if (!sp->base_address) {
> dev_err(sp->dev, "Failed to ioremap pci memory\n");
> result = -ENODEV;
> goto error_ioremap;
> }
> + sp->bar0_size = pci_resource_len(pdev, 0);
>
> result = request_irq(sp->irq, ibmasm_interrupt_handler, IRQF_SHARED,
> diff --git a/drivers/misc/ibmasm/lowlevel.c b/drivers/misc/ibmasm/lowlevel.c
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/misc/ibmasm/lowlevel.c
> +++ b/drivers/misc/ibmasm/lowlevel.c
> @@ -26,9 +26,17 @@ int ibmasm_send_i2o_message(struct service_processor *sp)
> mfa = get_mfa_inbound(sp->base_address);
> if (!mfa)
> return 1;
> + if (GET_MFA_ADDR(mfa) + sizeof(struct i2o_message) > sp->bar0_size) {
> + dev_err(sp->dev, "ignoring out-of-range MFA 0x%08x\n", mfa);
> + return 1;
> + }
>
> command_size = get_dot_command_size(command->buffer);
> + command_size = min_t(unsigned int, command_size,
> + (unsigned int)(sp->bar0_size - GET_MFA_ADDR(mfa) -
> + sizeof(struct i2o_header)));
> header.message_size = outgoing_message_size(command_size);
> @@ -60,12 +68,25 @@ irqreturn_t ibmasm_interrupt_handler(int irq, void * dev_id)
>
> mfa = get_mfa_outbound(base_address);
> if (valid_mfa(mfa)) {
> - struct i2o_message *msg = get_i2o_message(base_address, mfa);
> - ibmasm_receive_message(sp, &msg->data, incoming_data_size(msg));
> - } else
> - dbg("didn't get a valid MFA\n");
> + if (GET_MFA_ADDR(mfa) + sizeof(struct i2o_message) > sp->bar0_size) {
> + dev_err(sp->dev,
> + "ignoring out-of-range MFA 0x%08x\n", mfa);
> + } else {
> + struct i2o_message *msg = get_i2o_message(base_address, mfa);
> + u32 max_data = (u32)(sp->bar0_size - GET_MFA_ADDR(mfa) -
> + sizeof(struct i2o_header));
> +
> + ibmasm_receive_message(sp, &msg->data,
> + min_t(u32, incoming_data_size(msg),
> + max_data));
> + }
> + } else {
> + dbg("didn't get a valid MFA\n");
> + }
>
> set_mfa_outbound(base_address, mfa);
>
Patch does not apply to the char-misc next branch, and seems to be
corrupted?
Please fix up and resend.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-02 14:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-08 6:04 [PATCH] ibmasm: validate MFA offset against BAR0 size Tyllis Xu
2026-04-02 14:30 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox