Re: lpfc: unbounded QFPA response length in lpfc_cmpl_els_qfpa()

Next message: Christopher H&#xF6;ner: "Re: [PATCH v2] ALSA: hda/realtek: Enable internal speakers on Razer Blade 16 (2025)"
Previous message: Tejun Heo: "[PATCH sched_ext/for-7.2 2/2] sched_ext: Move shared helpers from ext.c into internal.h and cid.h"
In reply to: Maoyi Xie: "lpfc: unbounded QFPA response length in lpfc_cmpl_els_qfpa()"
Next in thread: Maoyi Xie: "Re: lpfc: unbounded QFPA response length in lpfc_cmpl_els_qfpa()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Justin Tee

Date: Mon Jun 22 2026 - 13:42:30 EST

Hi Maoyi,

> This runs when the VMID feature is negotiated. The attacker is a malicious
> or compromised fabric switch or target answering the QFPA request.
>
> I reproduced the overflow on 7.1-rc7. I ran the same copy with a 1020 byte
> qfpa_res buffer and a len that makes len + 8 larger than it. The copy runs
> past the buffer and faults.

Is it possible to provide the fabric switch and target hardware details, i.e. model and version numbers, used to reproduce this issue?

> Does this look like a real bug to you, and is bounding len the right
> approach? If so I am happy to send a proper patch with a Fixes tag and Cc
> stable.

No, this does not look like a real bug because the payload comes from an implicitly trusted source within the fabric. Hence, it would be helpful to share switch and target details that this issue was found. That said, we are already aware of this through AI security scan warnings and it will be addressed in a near lpfc version update.

Regards,
Justin