Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

Next message: Thomas Gleixner: "Re: [patch 4/8] futex: Add support for unlocking robust futexes"
Previous message: Sakari Ailus: "Re: [PATCH v11] media: Add t4ka3 camera sensor driver"
Next in thread: Michael Chan: "Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Tue Mar 17 2026 - 18:38:46 EST

On Sat, 14 Mar 2026 17:41:04 +0800 Junrui Luo wrote:
> The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> bnxt_async_event_process() uses a firmware-supplied 'type' field
> directly as an index into bp->bs_trace[] without bounds validation.
>
> The 'type' field is a 16-bit value extracted from DMA-mapped completion
> ring memory that the NIC writes directly to host RAM. A malicious or
> compromised NIC can supply any value from 0 to 65535, causing an
> out-of-bounds access into kernel heap memory.
>
> The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
> and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
> kernel memory corruption or a crash.
>
> Fix by adding a bounds check and defining BNXT_TRACE_MAX as
> DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
> defined firmware trace types (0x0 through 0xc).

Hi Micheal, looks like it now does what you asked in v2?