Re: [PATCH net v2] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

[Michael Chan]

On Fri, Mar 13, 2026 at 8:38 AM Junrui Luo <moonafterrain@xxxxxxxxxxx> wrote:
>
> The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> bnxt_async_event_process() uses a firmware-supplied 'type' field
> directly as an index into bp->bs_trace[] without bounds validation.
>
> The 'type' field is a 16-bit value extracted from DMA-mapped completion
> ring memory that the NIC writes directly to host RAM. A malicious or
> compromised NIC can supply any value from 0 to 65535, causing an
> out-of-bounds access into kernel heap memory.
> The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
> and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
> kernel memory corruption or a crash.
>
> Fix by adding a bounds check and updating BNXT_TRACE_MAX from 11 to 13
> to cover all currently defined firmware trace types (0x0 through 0xc).
>
> Fixes: 84fcd9449fd7 ("bnxt_en: Manage the FW trace context memory")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---

> diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
> index 9a41b9e0423c..597932cdea09 100644
> --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
> +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
> @@ -2146,7 +2146,7 @@ enum board_idx {
>  };
>
>  #define BNXT_TRACE_BUF_MAGIC_BYTE ((u8)0xbc)
> -#define BNXT_TRACE_MAX 11
> +#define BNXT_TRACE_MAX 13

I think you can use DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1
here.  This will clarify that we support all trace types up to QPC.
Thanks.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature