Re: [PATCH] cxl/pci: Fix out-of-bounds read of the RAS Header Log
From: Bowman, Terry
Date: Fri Jun 05 2026 - 13:42:57 EST
On 6/5/2026 11:59 AM, Richard Cheng wrote:
> On Fri, Jun 05, 2026 at 08:30:55AM +0800, Dave Jiang wrote:
>>
>>
>> On 6/4/26 9:16 PM, Richard Cheng wrote:
>>> The CXL RAS Header Log is 64 bytes, but CXL_HEADERLOG_SIZE is SZ_512,
>>> which is 512 bytes, not 512 bits, so the kernel treats it as 8x times
>>> bigger.
>>>
>>> header_log_copy() reads 448 bytes of MMIO past the register, and
>>> cxl_*_aer_uncorrectable_error() tracepoints memcpy 512 bytes from the
>>> 64-byte header log. On the CPER path the source is a heap object, so the
>>> copy runs 448 bytes past it and leaks kernel memory into a trace record
>>> that userspace can read:
>>
>> I think Terry raised the same issue and this [1] is what Dan suggested for the fix as there's rasdaemon (user) impact.
>>
>> [1]: https://lore.kernel.org/linux-cxl/6a0e33507e961_1717cc100f6@djbw-dev.notmuch/
>>
>> DJ
>
> Hi Dave,
>
> I see, so is he gonna do the fix or I can send a v2 with the suggested approach ?
>
> Best regards,
> Richard Cheng.
>
Hi Richard,
I will send that fix today.
Regards,
Terry
>>
>>>
>>> """
>>> [ 297.704020] BUG: KASAN: slab-out-of-bounds in trace_event_raw_event_cxl_port_aer_uncorrectable_error+0x318/0x4b0
>>> [ 297.704032] Read of size 512 at addr ffff0000dd6ee118 by task bash/3078
>>>
>>> [ 297.704038] CPU: 116 UID: 0 PID: 3078 Comm: bash Not tainted 7.1.0-rc6+ #1 PREEMPT(full)
>>> [ 297.704041] Hardware name: , BIOS buildbrain-gcid-sbios-45660680 Wed May 27 08:27:58 AM UTC 2026
>>> [ 297.704042] Call trace:
>>> [ 297.704043] show_stack+0x24/0x50 (C)
>>> [ 297.704049] dump_stack_lvl+0x80/0x140
>>> [ 297.704053] print_report+0x100/0x630
>>> [ 297.704057] kasan_report+0xb8/0x130
>>> [ 297.704059] kasan_check_range+0x15c/0x240
>>> [ 297.704061] __asan_memcpy+0x40/0xc8
>>> [ 297.704064] trace_event_raw_event_cxl_port_aer_uncorrectable_error+0x318/0x4b0
>>> [ 297.704066] __traceiter_cxl_port_aer_uncorrectable_error+0x90/0x108
>>> [ 297.704068] cxl_ras_inject_set+0x278/0x3d0
>>> [ 297.704070] simple_attr_write_xsigned.isra.0+0x198/0x298
>>> [ 297.704074] simple_attr_write+0x44/0x88
>>> [ 297.704076] debugfs_attr_write+0x78/0xd0
>>> [ 297.704080] vfs_write+0x1f4/0x960
>>> [ 297.704083] ksys_write+0x100/0x220
>>> [ 297.704085] __arm64_sys_write+0x78/0xc8
>>> [ 297.704087] invoke_syscall.constprop.0+0x150/0x200
>>> [ 297.704090] do_el0_svc+0xd0/0x210
>>> [ 297.704091] el0_svc+0x44/0x138
>>> [ 297.704095] el0t_64_sync_handler+0xc0/0x108
>>> [ 297.704097] el0t_64_sync+0x1b8/0x1c0
>>>
>>> [ 297.704100] Allocated by task 3078:
>>> [ 297.704102] kasan_save_stack+0x40/0x80
>>> [ 297.704104] kasan_save_track+0x24/0x58
>>> [ 297.704105] kasan_save_alloc_info+0x44/0x88
>>> [ 297.704107] __kasan_kmalloc+0x108/0x110
>>> [ 297.704108] __kmalloc_cache_noprof+0x1bc/0x588
>>> [ 297.704111] cxl_ras_inject_set+0xcc/0x3d0
>>> [ 297.704112] simple_attr_write_xsigned.isra.0+0x198/0x298
>>> [ 297.704114] simple_attr_write+0x44/0x88
>>> [ 297.704116] debugfs_attr_write+0x78/0xd0
>>> [ 297.704117] vfs_write+0x1f4/0x960
>>> [ 297.704119] ksys_write+0x100/0x220
>>> [ 297.704120] __arm64_sys_write+0x78/0xc8
>>> [ 297.704122] invoke_syscall.constprop.0+0x150/0x200
>>> [ 297.704123] do_el0_svc+0xd0/0x210
>>> [ 297.704124] el0_svc+0x44/0x138
>>> [ 297.704125] el0t_64_sync_handler+0xc0/0x108
>>> [ 297.704127] el0t_64_sync+0x1b8/0x1c0
>>>
>>> [ 297.704129] The buggy address belongs to the object at ffff0000dd6ee100
>>> which belongs to the cache kmalloc-rnd-09-96 of size 96
>>> [ 297.704132] The buggy address is located 24 bytes inside of
>>> allocated 88-byte region [ffff0000dd6ee100, ffff0000dd6ee158)
>>>
>>> [ 297.704135] The buggy address belongs to the physical page:
>>> [ 297.704138] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15d6e
>>> [ 297.704140] flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)
>>> [ 297.704143] page_type: f5(slab)
>>> [ 297.704147] raw: 017fffc000000000 ffff00008001c1c0 dead000000000100 dead000000000122
>>> [ 297.704148] raw: 0000000000000000 0000000802000200 00000000f5000000 0000000000000000
>>> [ 297.704149] page dumped because: kasan: bad access detected
>>>
>>> [ 297.704150] Memory state around the buggy address:
>>> [ 297.704151] ffff0000dd6ee000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [ 297.704152] ffff0000dd6ee080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [ 297.704153] >ffff0000dd6ee100: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>>> [ 297.704154] ^
>>> [ 297.704155] ffff0000dd6ee180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [ 297.704155] ffff0000dd6ee200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [ 297.704156] =================================================================
>>> """
>>>
>>> Define CXL_HEADERLOG_SIZE as SZ_64. The trace record's header_log field
>>> shrinks from 128 to 16 dwords, but only those 16 were ever real data,
>>> the rest was always junk.
>>>
>>> Fixes: 2f6e9c305127 ("cxl/pci: add tracepoint events for CXL RAS")
>>> Signed-off-by: Richard Cheng <icheng@xxxxxxxxxx>
>>> ---
>>> drivers/cxl/cxl.h | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h
>>> index 1297594beaec..f322d7c79ed2 100644
>>> --- a/drivers/cxl/cxl.h
>>> +++ b/drivers/cxl/cxl.h
>>> @@ -158,8 +158,8 @@ static inline int ways_to_eiw(unsigned int ways, u8 *eiw)
>>> #define CXL_RAS_CAP_CONTROL_FE_MASK GENMASK(5, 0)
>>> #define CXL_RAS_HEADER_LOG_OFFSET 0x18
>>> #define CXL_RAS_CAPABILITY_LENGTH 0x58
>>> -#define CXL_HEADERLOG_SIZE SZ_512
>>> -#define CXL_HEADERLOG_SIZE_U32 SZ_512 / sizeof(u32)
>>> +#define CXL_HEADERLOG_SIZE SZ_64
>>> +#define CXL_HEADERLOG_SIZE_U32 (CXL_HEADERLOG_SIZE / sizeof(u32))
>>>
>>> /* CXL 2.0 8.2.8.1 Device Capabilities Array Register */
>>> #define CXLDEV_CAP_ARRAY_OFFSET 0x0
>>>
>>> base-commit: 6f3ed7fec72fc8979b2a8c7219c0a9fcfc8d07b5
>>