Re: misc: bcm-vk: unbounded entry_size overflows proc_mon entries[]

From: Scott Branden

Date: Tue Jun 23 2026 - 12:52:13 EST

Hi Maoyi,

We have never had any reported issue.  The firmware provides valid information back to the driver, preventing such corruption.
I'm sure there would be many other places in the driver that checks would need to be added if we can't trust the data provided by the card.

Regards, 
Scott


On Tue, Jun 23, 2026 at 1:05 AM Maoyi Xie <maoyixie.tju@xxxxxxxxx> wrote:
Hi,

I think bcm_vk_get_proc_mon_info() in drivers/misc/bcm-vk/bcm_vk_dev.c can
overflow the fixed entries[] array when the card reports a large entry
size. I would appreciate it if you could let me know whether you agree.

The function reads num and entry_size from the card BAR_2 and clamps num,
but not entry_size.

        num = vkread32(vk, BAR_2, offset);
        entry_size = vkread32(vk, BAR_2, offset + sizeof(num));

        if (num > BCM_VK_PROC_MON_MAX) {
                ...
                return;
        }
        mon->num = num;
        mon->entry_size = entry_size;
        ...
        dst = (u8 *)&mon->entries[0];
        offset += sizeof(num) + sizeof(entry_size);
        memcpy_fromio(dst, vk->bar[BAR_2] + offset, num * entry_size);

num is bounded to BCM_VK_PROC_MON_MAX (8), but entry_size comes straight
from BAR_2. entries[] is struct bcm_vk_proc_mon_entry_t[8], 16 bytes each,
so 128 bytes, inside the kzalloc'd struct bcm_vk. A large entry_size makes
num * entry_size exceed 128, so the memcpy_fromio writes past entries[]
into the rest of struct bcm_vk and off the slab.

The same driver already distrusts a BAR_2 length in the peer-log path.
bcm_vk_get_card_info() range-checks buf_size against BCM_VK_PEER_LOG_BUF_MAX
and zeroes the record if it is out of range, with the comment "in case the
BAR2 memory has been corrupted". entry_size here has no such check.

I reproduced the write on 7.1-rc7 by replaying the copy with entries[]
placed at the end of a page and a large entry_size.

  BUG: unable to handle page fault for address: ...
  #PF: error_code(0x0002) - not-present page
  RIP: ... memcpy, CR2 = the guard page

A check that num * entry_size stays within sizeof(mon->entries), or a clamp
of entry_size to sizeof(struct bcm_vk_proc_mon_entry_t), would close it.
Does this look like a real bug to you, and is that the right fix? I am happy
to send a proper patch once you confirm.

Kaixuan Li and I found this together.

Thanks,
Maoyi
https://maoyixie.com/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature