64dcbde7f8
The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
bnxt_async_event_process() uses a firmware-supplied 'type' field
directly as an index into bp->bs_trace[] without bounds validation.
The 'type' field is a 16-bit value extracted from DMA-mapped completion
ring memory that the NIC writes directly to host RAM. A malicious or
compromised NIC can supply any value from 0 to 65535, causing an
out-of-bounds access into kernel heap memory.
The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
kernel memory corruption or a crash.
Fix by adding a bounds check and defining BNXT_TRACE_MAX as
DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
defined firmware trace types (0x0 through 0xc).
Fixes:
|
||
|---|---|---|
| .. | ||
| asp2 | ||
| bnge | ||
| bnx2x | ||
| bnxt | ||
| genet | ||
| Kconfig | ||
| Makefile | ||
| b44.c | ||
| b44.h | ||
| bcm63xx_enet.c | ||
| bcm63xx_enet.h | ||
| bcm4908_enet.c | ||
| bcm4908_enet.h | ||
| bcmsysport.c | ||
| bcmsysport.h | ||
| bgmac-bcma-mdio.c | ||
| bgmac-bcma.c | ||
| bgmac-platform.c | ||
| bgmac.c | ||
| bgmac.h | ||
| bnx2.c | ||
| bnx2.h | ||
| bnx2_fw.h | ||
| cnic.c | ||
| cnic.h | ||
| cnic_defs.h | ||
| cnic_if.h | ||
| sb1250-mac.c | ||
| tg3.c | ||
| tg3.h | ||
| unimac.h | ||