misc: bcm-vk: unbounded entry_size overflows proc_mon entries[]

[Maoyi Xie]

Hi,

I think bcm_vk_get_proc_mon_info() in drivers/misc/bcm-vk/bcm_vk_dev.c can
overflow the fixed entries[] array when the card reports a large entry
size. I would appreciate it if you could let me know whether you agree.

The function reads num and entry_size from the card BAR_2 and clamps num,
but not entry_size.

	num = vkread32(vk, BAR_2, offset);
	entry_size = vkread32(vk, BAR_2, offset + sizeof(num));

	if (num > BCM_VK_PROC_MON_MAX) {
		...
		return;
	}
	mon->num = num;
	mon->entry_size = entry_size;
	...
	dst = (u8 *)&mon->entries[0];
	offset += sizeof(num) + sizeof(entry_size);
	memcpy_fromio(dst, vk->bar[BAR_2] + offset, num * entry_size);

num is bounded to BCM_VK_PROC_MON_MAX (8), but entry_size comes straight
from BAR_2. entries[] is struct bcm_vk_proc_mon_entry_t[8], 16 bytes each,
so 128 bytes, inside the kzalloc'd struct bcm_vk. A large entry_size makes
num * entry_size exceed 128, so the memcpy_fromio writes past entries[]
into the rest of struct bcm_vk and off the slab.

The same driver already distrusts a BAR_2 length in the peer-log path.
bcm_vk_get_card_info() range-checks buf_size against BCM_VK_PEER_LOG_BUF_MAX
and zeroes the record if it is out of range, with the comment "in case the
BAR2 memory has been corrupted". entry_size here has no such check.

I reproduced the write on 7.1-rc7 by replaying the copy with entries[]
placed at the end of a page and a large entry_size.

  BUG: unable to handle page fault for address: ...
  #PF: error_code(0x0002) - not-present page
  RIP: ... memcpy, CR2 = the guard page

A check that num * entry_size stays within sizeof(mon->entries), or a clamp
of entry_size to sizeof(struct bcm_vk_proc_mon_entry_t), would close it.
Does this look like a real bug to you, and is that the right fix? I am happy
to send a proper patch once you confirm.

Kaixuan Li and I found this together.

Thanks,
Maoyi
https://maoyixie.com/