Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

Next message: Josh Poimboeuf: "[PATCH v2 12/12] klp-build: Support cross-compilation"
Previous message: Josh Poimboeuf: "[PATCH v2 02/12] arm64: head: Move boot header to .head.data"
In reply to: Jakub Kicinski: "Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Chan

Date: Tue Mar 17 2026 - 18:52:28 EST

On Tue, Mar 17, 2026 at 3:38 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
>
> On Sat, 14 Mar 2026 17:41:04 +0800 Junrui Luo wrote:
> > The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> > bnxt_async_event_process() uses a firmware-supplied 'type' field
> > directly as an index into bp->bs_trace[] without bounds validation.
> >
> > The 'type' field is a 16-bit value extracted from DMA-mapped completion
> > ring memory that the NIC writes directly to host RAM. A malicious or
> > compromised NIC can supply any value from 0 to 65535, causing an
> > out-of-bounds access into kernel heap memory.
> >
> > The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
> > and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
> > kernel memory corruption or a crash.
> >
> > Fix by adding a bounds check and defining BNXT_TRACE_MAX as
> > DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
> > defined firmware trace types (0x0 through 0xc).
>
> Hi Micheal, looks like it now does what you asked in v2?

Yes it does. Somehow I did not receive v3 from Junrui, but I checked
lore and v3 looks good. Thanks.

Reviewed-by: Michael Chan <michael.chan@xxxxxxxxxxxx>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature