Re: [PATCH] misc: ibmasm: Fix out-of-bounds MMIO access during module load

Next message: J&#xF6;rg R&#xF6;del: "Re: [PATCH 4/4] kvm: svm: Support KVM_SEV_SNP_PAGE_TYPE_VMSA at SNP_LAUNCH_UPDATE"
Previous message: Shubham Patil: "[PATCH v9 2/2] i3c: master: Add driver for AMD AXI I3C master controller"
In reply to: Mingyu Wang: "Re: [PATCH v2] misc: ibmasm: Fix static and dynamic out-of-bounds MMIO accesses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mingyu Wang

Date: Tue Jun 23 2026 - 07:48:13 EST

Hi Greg,

The kernel trusts the hardware to not do foolish things like this 🙂

When evaluating the driver against emulated hardware or during virtual
device fuzzing, a malformed device may expose a significantly undersized
BAR 0 (e.g., 4KB). In this scenario, the readl() in enable_sp_interrupts()
crosses the mapped page boundary into unmapped memory, causing a page fault
during probe.

Are you sure this is the only code path for this type of issue for this
device/driver? Why just worry about this one?

You were absolutely right to ask. Prompted by your question, I did a full
audit of the MMIO access paths in this driver.

I found that the dynamic MFA (Message Frame Address) reads from the hardware
queues, which are used directly as offsets in `get_i2o_message()`, are also
highly vulnerable to OOB accesses if the fuzzed hardware returns malicious
offsets during runtime.

I have just submitted a v2 patch in this thread that comprehensively fixes
both the static OOB during probe and the dynamic OOB during runtime.

Thank you very much for catching this and pointing me in the right direction!

Best regards,
Mingyu Wang