From nobody Tue Apr 7 08:08:03 2026 Received: from mail-qv1-f41.google.com (mail-qv1-f41.google.com [209.85.219.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 941962FFF8B for ; Sat, 14 Mar 2026 16:58:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773507500; cv=none; b=t94hTmFAV73g8RCMCaVufxJJ3x3Uj/8MO4uyd9ByPjKCfrnQGH0EhkI523PCjVsYGVAMdJUsOnDIi9za0SPD0zetmce+DMGVuBWzbn+nN5qc8IakNQLOhsFGPn11291g4/V0VYlZPhn51qlaRPwzpA6fZXARFOPGGn+cAzKgTuI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773507500; c=relaxed/simple; bh=RJQligzopvcVnL3GVik1MA/7l4yn/T/8LnZtjy7Rnlw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=sw2rZiw5V7tWY9A7sNAOUzARrqJMIjtO8WTOOG0HXwK5sJNnQjXKTf78QEAbOTU7NbNWJCWVP6ZH9VWyZIKM8E+6/4lMPkNJtAb96g+HCMzb4dSJUtwg5vxT+E/djF8Hi/CwUdwsX6V+c7FS16ze1R9UA/yXuxsN2zpks4lQM/o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IkeLzWI/; arc=none smtp.client-ip=209.85.219.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IkeLzWI/" Received: by mail-qv1-f41.google.com with SMTP id 6a1803df08f44-89a6ac6f389so42788546d6.3 for ; Sat, 14 Mar 2026 09:58:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773507498; x=1774112298; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=4FJSg6yO8bqCihG6mTbOKq9sLeSeUKoFCGVbsYkTlRw=; b=IkeLzWI/iBvDvXNW4+ZaUSE7RYQ2knUgcTWlkFxkEZ2PCW8chAMpNq6I19ypcp8LGi +4sA/VxvoYlGAPNxn6aO36Capz9HB6PiJ8HabwP2/WOlV5fDE1tSzx5fWW67rq0p3zPG vh6wi/WH15rF+Stf61wQ/2SLnHc+4ZLLoUNYb0bcI5AHTAtLqxx9OYmvD2K44VaIdzV+ 1PiMRmu/tydi054JwILTE7ZwOHIFIanpaixjUXWRBLt/r0bzKJ9zgjBqaGSPVbY20DWd 1BBzNv/aE6aS0audULPGVcXqO8o7LQ6EyXN/Cq7yfezSmE0h+ysQY6Nt0/wAm/zmcxtx yhYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773507498; x=1774112298; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4FJSg6yO8bqCihG6mTbOKq9sLeSeUKoFCGVbsYkTlRw=; b=QEfTPljHMSGHv2pgtZlB5LDaj9frarxBUSXH2LbIiJKCWOuEO0mGS/fzsTCNZz4coZ 8rXKkNZie6LWyuYPRe7rzY2UvobyzmUL/Eqf/NXacV2ZSUA59eECCXnQtnP8G8zQm928 FFq1w1D8QxEMcslRzbCWpxWV02U5mSPrcaoKsbUtvMWGs8en7NrmCVuxluq9vlWQrUD7 X9JYi88KAToSF+cOoaZJ5AO2N8b6pwU+2qjx8iRQixPYY9KrB0NEKXuARNu7aVe4zhEh UX8uxMY/G3U47sNkVQs4Ev7k1HmZOI223OQQK+JGX1Dly/uNlhpytXJG7p8kcd1NS7Hi kJdw== X-Gm-Message-State: AOJu0Yz245Pg9/Dkb9tb3AxnjasDN68D+z8bofbS63X+urzekwuzz5eH 9Xbt/RwMuVgj9wpJfu1z1TtQvv+fxCKp9zYvOiSLKG11eTLKTINJQiJj X-Gm-Gg: ATEYQzylMiSxu/RWUI0neDe8f6F2lWViE5ji1Bldd6W8uLamA3dRCUupa3dWd3+EBMU KMH35DhBfuxUL1FHORj6NJHr9Us+lWfMqVwRFEiIE7m1wj4oEpd9WL2xG7zMtN4KyqkL/w8O5HJ UlhhwgpVYqLPmtswmFk2fs5ZuCu1vIst0wuoizNY4cwwVkywMCOoKX/suQmMhkDlQlySdlMqk6P k9vK+Jcys3tbv3RR++MGClcfQHo0sA1Umzpu9+/wrq9pJSGZdXTV2UEO+EVYivcmPqeuR7xgewV zQ9STUXweE2TwXCtKh7FH0JQtofBEyUduO5KviSixP5ZV7VHKXRe5y6XrLtsBkOv19O1iSKvdA4 NgHEwS5vDaPMPsIDzbrXpmcPDWZkwpYYA3BYf7mUbiNyp2Nt7O/uQRPeAe5E2j7O11L4GeqfNei 1HQxX3X1sXA8GJBxGRMnLYZtqVbPc4duUuEdkrFisdLX6aqbQdSDHa/2sFaRFul9veM9CRAzMsD XBNiBQ28AySdc4= X-Received: by 2002:a05:6214:1c0b:b0:89a:ff2:b8d4 with SMTP id 6a1803df08f44-89a81ef3356mr114611416d6.36.1773507498590; Sat, 14 Mar 2026 09:58:18 -0700 (PDT) Received: from CS-396-Lab-Machine.. (c-24-12-10-127.hsd1.il.comcast.net. [24.12.10.127]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-89a65bd318fsm80958236d6.8.2026.03.14.09.58.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Mar 2026 09:58:18 -0700 (PDT) From: Tyllis Xu X-Google-Original-From: Tyllis Xu To: arnd@arndb.de, gregkh@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, danisjiang@gmail.com, ychen@northwestern.edu, Tyllis Xu Subject: [PATCH] ibmasm: fix heap over-read in ibmasm_send_i2o_message() Date: Sat, 14 Mar 2026 11:58:05 -0500 Message-ID: <20260314165805.548293-1-LivelyCarpet87@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Yuhao Jiang Cc: stable@vger.kernel.org Signed-off-by: Tyllis Xu --- drivers/misc/ibmasm/lowlevel.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/misc/ibmasm/lowlevel.c b/drivers/misc/ibmasm/lowlevel.c index 1a59d1b8e05e..xxxxxxxxxxxx 100644 --- a/drivers/misc/ibmasm/lowlevel.c +++ b/drivers/misc/ibmasm/lowlevel.c @@ -19,17 +19,21 @@ static struct i2o_header header =3D I2O_HEADER_TEMPLATE; int ibmasm_send_i2o_message(struct service_processor *sp) { u32 mfa; - unsigned int command_size; + size_t command_size; struct i2o_message *message; struct command *command =3D sp->current_command; + command_size =3D get_dot_command_size(command->buffer); + if (command_size > command->buffer_size) + return 1; + if (command_size > I2O_COMMAND_SIZE) + command_size =3D I2O_COMMAND_SIZE; + mfa =3D get_mfa_inbound(sp->base_address); if (!mfa) return 1; - command_size =3D get_dot_command_size(command->buffer); - header.message_size =3D outgoing_message_size(command_size); - + header.message_size =3D outgoing_message_size((unsigned int)command_size); message =3D get_i2o_message(sp->base_address, mfa); memcpy_toio(&message->header, &header, sizeof(struct i2o_header)); --=20 2.39.0