MMIO region out-of-bounds access in bnx2x_init_shmem()

From: Kyungwook Boo
Date: Mon Mar 03 2025 - 05:42:04 EST

Next message: tip-bot2 for Anna-Maria Behnsen: "[tip: timers/vdso] vdso: Move arch related data before basetime"
Previous message: Geert Uytterhoeven: "Re: [PATCH 3/3] net: stmmac: Add DWMAC glue layer for Renesas GBETH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

It seems there's an issue in bnx2x_init_shmem() that allows an MMIO access
address offset to be set directly from the device without either range check or
filtering, potentially leading to an out-of-bounds MMIO region access.

In bnx2x_init_shmem(), bp->common.shmem_base is assigned from an MMIO read:

bp->common.shmem_base = REG_RD(bp, MISC_REG_SHARED_MEM_ADDR);

This shmem_base value is then used to calculate an address for another MMIO
read:

if (bp->common.shmem_base) {
val = SHMEM_RD(bp, validity_map[BP_PORT(bp)]); // Out-of-bounds access here
/*
in bnx2x.h,
#define SHMEM_ADDR(bp, field) (bp->common.shmem_base + \
offsetof(struct shmem_region, field))
#define SHMEM_RD(bp, field) REG_RD(bp, SHMEM_ADDR(bp, field))
*/

If shmem_base was set with an unexpected large value, causing an MMIO region
out-of-bounds read access.

Futhermore, I think similar issue could occur also at shmem2_base case:

// in bnx2x_get_common_hwinfo()
bp->common.shmem2_base = REG_RD(bp, (BP_PATH(bp) ?
MISC_REG_GENERIC_CR_1 :
MISC_REG_GENERIC_CR_0));
...
if (SHMEM2_RD(bp, size) >
(u32)offsetof(struct shmem2_region, lfa_host_addr[BP_PORT(bp)]))

It seems that a range check patch is needed for shmem_base and shmem2_base, but
I am not entirely sure what the correct range should be.

Could you check this?

Best regards,
Kyungwook Boo

Next message: tip-bot2 for Anna-Maria Behnsen: "[tip: timers/vdso] vdso: Move arch related data before basetime"
Previous message: Geert Uytterhoeven: "Re: [PATCH 3/3] net: stmmac: Add DWMAC glue layer for Renesas GBETH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]