[PATCH v8 0/2] misc: ibmasm: Fix out-of-bounds MMIO accesses

From: Mingyu Wang

Date: Sat Jul 18 2026 - 03:33:26 EST


This patch series fixes two distinct out-of-bounds (OOB) MMIO access
vectors in the ibmasm driver when exposed to malformed or fuzzed hardware
with an undersized BAR 0.

Patch 1 addresses the static OOB access during the probe phase.
Patch 2 addresses the dynamic OOB accesses via malicious hardware MFAs
during runtime interrupts.

Changes in v8:
- Patch 2: Addressed static analysis feedback by removing
set_mfa_inbound() from the error path. Submitting an out-of-bounds
MFA instructs the hardware to execute from an invalid physical
address (Wild DMA). Dropping the MFA safely favors a device stall
over host memory corruption.

Changes in v7:
- Patch 2: Addressed a pre-existing logic bug caught by static analysis
where the driver passed the total message size instead of the payload
size to ibmasm_receive_message(), causing a 12-byte OOB read. Added an
underflow safeguard (data_size < sizeof(i2o_header)) and corrected the
passed payload size.

Changes in v6:
- Patch 2: Fixed a mathematical error in the dynamic bounds check where
the header size was double-counted, which would have incorrectly
rejected valid hardware messages.

Changes in v5:
- Patch 1: Extended static bounds check threshold to 0xAC1FC to correctly
cover display_depth() accesses identified by static analysis.
- Patch 2: Moved get_i2o_message() out of line into lowlevel.c to avoid
text bloat, as requested by Greg KH.

Changes in v4:
- Patch 1: Extended static bounds check to cover remote input device
registers (up to 0xAC000) that are unconditionally accessed
during probe.
- Patch 2: Added dynamic payload size to bounds calculation to prevent
trailing out-of-bounds memcpy_toio().
- Patch 2: Restored set_mfa_inbound() in the error path to prevent
hardware queue deadlocks, and used safe subtraction for dynamic bounds
checking to prevent integer overflow bypasses.

Changes in v3:
- Split the monolithic v2 patch into a 2-patch series to separate the
probe-time static checks from the runtime dynamic checks, as requested
by Greg KH.

Changes in v2:
- Added dynamic MFA bounds checking in get_i2o_message().
- Implemented hardware mailbox deadlock prevention.
- Fixed potential unsigned integer underflow in bounds check arithmetic.

Mingyu Wang (2):
misc: ibmasm: Fix static out-of-bounds MMIO access during probe
misc: ibmasm: Fix dynamic out-of-bounds MMIO access via malicious MFA

drivers/misc/ibmasm/ibmasm.h | 1 +
drivers/misc/ibmasm/lowlevel.c | 42 ++++++++++++++++++++++++++++++----
drivers/misc/ibmasm/lowlevel.h | 23 +++++++++++++++----
drivers/misc/ibmasm/module.c | 13 +++++++++++
4 files changed, 71 insertions(+), 8 deletions(-)

--
2.34.1