From nobody Thu Apr  9 13:30:34 2026
Received: from mail-yw1-f176.google.com (mail-yw1-f176.google.com
 [209.85.128.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49B7F281503
	for <linux-kernel@vger.kernel.org>; Sun,  8 Mar 2026 06:21:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772950914; cv=none;
 b=DW/EFtT7KwWBGV0d1kTtPE58wt1vHC/YFXzaWpzyaoN05IWZhxzadZ27h8tEdGRyjcHcjaxbBh2Poxxf+Uppm+M/qL0O8tmpzS9xmZw1CzeSDtXICqiVLFWpKmADFOL/TTPg477GvqyQfktHM8SUF7skQp1SUfplTirSJmIA/TE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772950914; c=relaxed/simple;
	bh=aDfY1//oaZiGxwXobUZnkGalUh5IkzKrDN2WK4Aqvh8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=M9ZBJ3h8Nfr3Lq7QtNTM2Pex9gTQs0dJEKLBTvmtr9t1rpalQNVV15jl8VkogXNcKD7pJvpj49ggiNW8BW/v30zSNNaBltGGFKent/WJrDwDBgdXrClZh05IMkMJOKKH35HPL/NvBdBv94kxWm9k4lbF2eb+qyYpYzaHXGlsK1g=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Zav1hpQh; arc=none smtp.client-ip=209.85.128.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Zav1hpQh"
Received: by mail-yw1-f176.google.com with SMTP id
 00721157ae682-79881805788so111123127b3.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 07 Mar 2026 22:21:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772950912; x=1773555712;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=AVNaLXkn+wpKe98IsLDOvHFrwY+Zchd/o/Oq0a38lCQ=;
        b=Zav1hpQhTrL/0ouAZGxd4GYU6FrGQG5KqqOfYntbTlgHRnHUDu08mR/5G2mSN02Fvj
         g9Hp6OecFv2UUNXFyCjTetyWjEor6BnQXdO97ewpHznqKeXenPkHOveYFJKs3Wk6ri2Z
         MASswnqrOs402yguyi8I4cEutB8w5yWsk0S2O1EH5bGl7mcIOJybtuHE4q6trfXgheK8
         1Z4ga0FbWMvBpImNeP5JUS7M79rKYCIo41MO8szLoKCOtu+7mMu7U5f83ppYKCBEl9H3
         /Dy6qxoBac+o2nv4AqmTB8jRr8oGrARMx2GBGfNo+O29aH3NG5KleZdNEDrkVrGlouAn
         uOCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772950912; x=1773555712;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=AVNaLXkn+wpKe98IsLDOvHFrwY+Zchd/o/Oq0a38lCQ=;
        b=kEXj0e6dGLH12Rlh+DQjmEz4KNXTkTKEdxlUUrcS4wqEf5IMbbkEZunfRZmkYJS9E+
         Wkjfn6fa6t2i9waXVb/kj9b3qn4/EOSVfJLysnXT3suj/KRJ1a0OjOy3LsOumHogQoQz
         B3T0vGJyAIglWNvoJrvgbhKAbRqTGpSP07TEJJ3yBmA+Zs/VILvvnykr2GferjJOGE+K
         9+lNzov/vo5lga0Kza1xeKmm/rkO9/r/f+TpOjQZDVLFebvUUUMF0KLs7Kw/XvIkiWBZ
         8HQskIY11ZHcR5vtnlIMMboMP9wcNLcCGmldDl2VB4PLocGWb5U13N1hW4XnHnm5Bg35
         LQvQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUrTjpBSdxdSSZd2YtedoqpYXwjruHcVwtC09G31/b+EQNdhqjNJG9jgjxxqd94XG2HIPJJMNf8zyIRmk0=@vger.kernel.org
X-Gm-Message-State: AOJu0YwUHJkFKfI7J3ecsoQFSFYxw6XmBtKH+x6xKDpA8YQv7As5O30X
	dTxsJF/e3W8wPtZCJBh5slLP++J3Z5iv0jBUviPKEpicg7TJPOZ0Ny/pnlPyrH9C
X-Gm-Gg: ATEYQzxS1bBq5IfbkXgafl1CYtbIHlZpTjUGPwTbPdal0OJZvuDgrqOKJ1aT+iPV/KR
	8bjmKoVXxygEbBwxlHp3w/uoHQ4slVMUORGkLf5W+Pz82EsbDi/oNvFYqmsOlH8weo3VtRVBeDD
	xs6rPwynPgFCB3DFiSZ2R6QmNYv4lBDjy1svbkozMlfSwLnZz6Qh62KHQ350Z8OTpLJaHUNu4eZ
	4NYAklvmTtcBmF16oLfqpG2aT0lpOQtv5RyMCLSe/ahk0N2y2W5c8LzPnp9TzOaUtczQ6yP0h5r
	40uBFEGUBKvqX5iDKNEIHpnx4IqvNSgp46rA86v4RO2en2e0NioFmuXwEPplMjC3i1NMNiXUuoY
	qeoFkU7SgY4OVnzpDuHiynOCCDbIOeu/CzRhKncfB2nW9ujkZHmNWIKJ9NQBGFaTL7l+s2G+kH4
	Ie9nfwgRSIsaPYnrwouboidLAH3LWBkygvnm3TMR2l0lVUY3y7GL0UW8YyIYd6aY3Av34KAFYtH
	Mej
X-Received: by 2002:a05:690c:c52c:b0:798:65ed:bb9b with SMTP id
 00721157ae682-798dd688c7fmr67064417b3.27.1772950912232;
        Sat, 07 Mar 2026 22:21:52 -0800 (PST)
Received: from CS-396-Lab-Machine.. (c-24-12-10-127.hsd1.il.comcast.net.
 [24.12.10.127])
        by smtp.gmail.com with ESMTPSA id
 00721157ae682-798dee4a70bsm28803647b3.32.2026.03.07.22.21.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 22:21:51 -0800 (PST)
From: Tyllis Xu <livelycarpet87@gmail.com>
X-Google-Original-From: Tyllis Xu <LivelyCarpet87@gmail.com>
To: gregkh@linuxfoundation.org
Cc: arnd@arndb.de,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	ychen@northwestern.edu,
	danisjiang@gmail.com,
	Tyllis Xu <LivelyCarpet87@gmail.com>
Subject: [PATCH] misc: ibmasm: fix OOB MMIO read in
 ibmasm_handle_mouse_interrupt()
Date: Sun,  8 Mar 2026 00:21:08 -0600
Message-ID: <20260308062108.258940-1-LivelyCarpet87@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read
when the queue reader or writer index from hardware exceeds
REMOTE_QUEUE_SIZE (60).

A compromised service processor can trigger this by writing an
out-of-range value to the reader or writer MMIO register before
asserting an interrupt. Since writer is re-read from hardware on
every loop iteration, it can also be set to an out-of-range value
after the loop has already started.

The root cause is that get_queue_reader() and get_queue_writer() return
raw readl() values that are passed directly into get_queue_entry(),
which computes:

  queue_begin + reader * sizeof(struct remote_input)

with no bounds check. This unchecked MMIO address is then passed to
memcpy_fromio(), reading 8 bytes from unintended device registers.
For sufficiently large values the address falls outside the PCI BAR
mapping entirely, triggering a machine check exception.

Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of
the loop body, before any call to get_queue_entry(). On an out-of-range
value, reset the reader register to 0 via set_queue_reader() before
breaking, so that normal queue operation can resume if the corrupted
hardware state is transient.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Fixes: 278d72ae8803 ("[PATCH] ibmasm driver: redesign handling of remote co=
ntrol events")
Cc: stable@vger.kernel.org
Cc: ychen@northwestern.edu
Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com>
---
 drivers/misc/ibmasm/remote.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/misc/ibmasm/remote.c b/drivers/misc/ibmasm/remote.c
index ec816d3b38cb..521531738c9a 100644
--- a/drivers/misc/ibmasm/remote.c
+++ b/drivers/misc/ibmasm/remote.c
@@ -177,6 +177,11 @@ void ibmasm_handle_mouse_interrupt(struct service_proc=
essor *sp)
 	writer =3D get_queue_writer(sp);
=20
 	while (reader !=3D writer) {
+		if (reader >=3D REMOTE_QUEUE_SIZE || writer >=3D REMOTE_QUEUE_SIZE) {
+			set_queue_reader(sp, 0);
+			break;
+		}
+
 		memcpy_fromio(&input, get_queue_entry(sp, reader),
 				sizeof(struct remote_input));
=20
--=20
2.43.0