[{"id":3684860,"web_url":"http://patchwork.ozlabs.org/comment/3684860/","msgid":"<1737f22d-1eca-4dee-95cc-6bd397e655dc@molgen.mpg.de>","list_archive_url":null,"date":"2026-04-30T17:20:55","subject":"Re: [Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-range\n ptype in ice_parser_profile_init","submitter":{"id":70275,"url":"http://patchwork.ozlabs.org/api/people/70275/","name":"Paul Menzel","email":"pmenzel@molgen.mpg.de"},"content":"Dear Aleksandr,\n\n\nThank you for your patch.\n\nAm 30.04.26 um 16:21 schrieb Aleksandr Loktionov:\n> set_bit(rslt->ptype, prof->ptypes) operates on a DECLARE_BITMAP of\n> ICE_FLOW_PTYPE_MAX (1024) bits. Nothing prevents a malicious VF from\n> providing ptype >= 1024 through VIRTCHNL, resulting in a write past\n> the end of the bitmap and a kernel page fault.\n> \n> Reproduced with a custom kernel module injecting a crafted\n> VIRTCHNL_OP_ADD_RSS_CFG on E810-C QSFP (8086:1592),\n> FW 4.91 0x800214af 1.3909.0, ICE COMMS DDP 1.3.53.0,\n> kernel 7.1.0-rc1.\n\n7.1-rc1 (no need to resend)\n\n> crash_parser: ice_parser_profile_init @ ffffffffc0d61b60\n> crash_parser: setting ptype=0xffff (max valid=1023)\n> crash_parser: calling ice_parser_profile_init -- expect OOB crash!\n> BUG: kernel NULL pointer dereference, address: 0000000000000000\n> #PF: supervisor write access in kernel mode\n> #PF: error_code(0x0002) - not-present page\n> Oops: Oops: 0002 [#1] SMP NOPTI\n> CPU: 56 UID: 0 PID: 165011 Comm: insmod Kdump: loaded Tainted: G S U OE 7.1.0-rc1 #1\n> Hardware name: Intel Corporation S2600BPB/S2600BPB\n> RIP: 0010:ice_parser_profile_init+0x2d/0x1d0 [ice]\n> Call Trace:\n> \n> ? __pfx_ice_parser_profile_init+0x10/0x10 [ice]\n> crash_init+0x127/0xff0 [crash_parser]\n> do_one_initcall+0x45/0x310\n> do_init_module+0x64/0x270\n> init_module_from_file+0xcc/0xf0\n> idempotent_init_module+0x17b/0x280\n> __x64_sys_finit_module+0x6e/0xe0\n> \n> Bail out early with -EINVAL when ptype is out of range.\n\nIs a warning logged now?\n\n> Fixes: e312b3a1e209 (\"ice: add API for parser profile initialization\")\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Aleksandr Loktionov \n> ---\n> drivers/net/ethernet/intel/ice/ice_parser.c | 3 +++\n> 1 file changed, 3 insertions(+)\n> \n> diff --git a/drivers/net/ethernet/intel/ice/ice_parser.c b/drivers/net/ethernet/intel/ice/ice_parser.c\n> index f8e6963..3ede4c1 100644\n> --- a/drivers/net/ethernet/intel/ice/ice_parser.c\n> +++ b/drivers/net/ethernet/intel/ice/ice_parser.c\n> @@ -2368,6 +2368,9 @@ int ice_parser_profile_init(struct ice_parser_result *rslt,\n> \tu16 proto_off = 0;\n> \tu16 off;\n> \n> +\tif (rslt->ptype >= ICE_FLOW_PTYPE_MAX)\n> +\t\treturn -EINVAL;\n> +\n> \tmemset(prof, 0, sizeof(*prof));\n> \tset_bit(rslt->ptype, prof->ptypes);\n> \tif (blk == ICE_BLK_SW) {\n\n\nKind regards,\n\nPaul","headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=nifeNJyB;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g61DD53nhz1xqf\n\tfor ; Fri, 01 May 2026 03:21:16 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 9DE286122E;\n\tThu, 30 Apr 2026 17:21:14 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id OoDSHMXcmvdw; Thu, 30 Apr 2026 17:21:13 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id AF5AA61216;\n\tThu, 30 Apr 2026 17:21:13 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id 2CB6118F\n for ; Thu, 30 Apr 2026 17:21:11 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 2A3A341124\n for ; Thu, 30 Apr 2026 17:21:11 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id fNpW0JC2l7Sy for ;\n Thu, 30 Apr 2026 17:21:10 +0000 (UTC)","from mx3.molgen.mpg.de (mx3.molgen.mpg.de [141.14.17.11])\n by smtp4.osuosl.org (Postfix) with ESMTPS id CC07841123\n for ; Thu, 30 Apr 2026 17:21:08 +0000 (UTC)","from [192.168.44.251] (unknown [185.238.219.95])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested) (Authenticated sender: pmenzel)\n by mx.molgen.mpg.de (Postfix) with ESMTPSA id 611884C2C37F04;\n Thu, 30 Apr 2026 19:20:58 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org AF5AA61216","OpenDKIM Filter v2.11.0 smtp4.osuosl.org CC07841123"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1777569673;\n\tbh=ppNwtIYpqmNzsyjJFtN7uxY11rsuQozEmkHk4j3PaLU=;\n\th=Date:To:Cc:References:From:In-Reply-To:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From;\n\tb=nifeNJyBY2/wQTqXbQER6VKzHUyCBnxjzCjyapNeKRs7DHCXXPcUazl3PaT1B5x42\n\t WsU9lKG26ESFNhu6l1c5u0iIXHkEkjGre7dn5K72av69SuyNVNxa+X/TPMOlJ7p8VT\n\t XPgDjnKawuqy3KrwBMBv1HL6I+FAyUOcMDC9O7RyNo14RrDAnQOtnpJ5cu2qDTugTC\n\t Lbrly+qnqZU+tNx4uNr0Lqe3QiH6lucFKrY6zaesXkNRVsmhn5r2lPvfk955o6tTSq\n\t 9kL7VsJA7mfDhGbBZtUN94mrw/xDYLS40LreHUSl5s/SoKxOJbVXgC8NVR8Yn9AoKR\n\t 97H+SsLnv0cpw==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=141.14.17.11;\n helo=mx3.molgen.mpg.de; envelope-from=pmenzel@molgen.mpg.de;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org CC07841123","Message-ID":"<1737f22d-1eca-4dee-95cc-6bd397e655dc@molgen.mpg.de>","Date":"Thu, 30 Apr 2026 19:20:55 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","To":"Aleksandr Loktionov ","Cc":"intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,\n netdev@vger.kernel.org","References":"<20260430142153.249062-1-aleksandr.loktionov@intel.com>","Content-Language":"en-US","From":"Paul Menzel ","In-Reply-To":"<20260430142153.249062-1-aleksandr.loktionov@intel.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Mailman-Original-Authentication-Results":"smtp4.osuosl.org;\n dmarc=none (p=none dis=none)\n header.from=molgen.mpg.de","Subject":"Re: [Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-range\n ptype in ice_parser_profile_init","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" "}}]