Re: [PATCH] net: hamachi: fix divide by zero in hamachi_init_one

Next message: Erikas Bitovtas: "Re: [PATCH RFC 04/10] arm64: dts: qcom: msm8939: Add venus node"
Previous message: Harry Yoo (Oracle): "Re: [PATCH] docs: Add overview and SLUB allocator sections to slab documentation"
In reply to: Mingyu Wang: "[PATCH] net: hamachi: fix divide by zero in hamachi_init_one"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Lunn

Date: Sat Apr 18 2026 - 11:35:04 EST

On Sat, Apr 18, 2026 at 08:18:04PM +0800, Mingyu Wang wrote:
> During the hardware initialization phase in hamachi_init_one(), the driver
> reads the PCIClkMeas register to calculate the PCI bus frequency.
>
> The current code attempts to prevent a divide-by-zero error using a ternary
> operator: `i ? 2000/(i&0x7f) : 0`. However, this check is flawed. The highest
> bit of `i` (0x80) acts as a ready flag. If unreliable hardware or a malicious
> virtual device returns a value where the ready bit is set but the lower 7 bits
> are zero (e.g., 0x80), the condition `i` evaluates to true, but `(i & 0x7f)`
> evaluates to 0. This results in a fatal divide-by-zero exception.
>
> This bug was discovered during an automated virtual device fuzzing campaign
> testing the hardware-software trust boundary. When the hardware returns 0x80,
> it bypassed the readiness while-loop but triggered the divide error. In our
> tests, this panic interrupted the module loading process, further triggering
> a KASAN slab-out-of-bounds in the module error path, and ultimately leading
> to a multi-core soft lockup and RCU stall.

Isn't that a good result of somebody trying to use emulated hardware
with bad behaviour? The machine grinds to a halt? So it is not
exploitable.

What happens with your patch in place? How are you reporting the
hardware is attacking the machine, and the hardware should not be
trusted?

Andrew