{"id":2231294,"url":"http://patchwork.ozlabs.org/api/patches/2231294/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260430142153.249062-1-aleksandr.loktionov@intel.com/","project":{"id":46,"url":"http://patchwork.ozlabs.org/api/projects/46/?format=json","name":"Intel Wired Ethernet development","link_name":"intel-wired-lan","list_id":"intel-wired-lan.osuosl.org","list_email":"intel-wired-lan@osuosl.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260430142153.249062-1-aleksandr.loktionov@intel.com>","list_archive_url":null,"date":"2026-04-30T14:21:53","name":"[iwl-net] ice: reject out-of-range ptype in ice_parser_profile_init","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"dffa79813c56c4f9956d855aba94fbd8df774864","submitter":{"id":75597,"url":"http://patchwork.ozlabs.org/api/people/75597/?format=json","name":"Aleksandr Loktionov","email":"aleksandr.loktionov@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/intel-wired-lan/patch/20260430142153.249062-1-aleksandr.loktionov@intel.com/mbox/","series":[{"id":502313,"url":"http://patchwork.ozlabs.org/api/series/502313/?format=json","web_url":"http://patchwork.ozlabs.org/project/intel-wired-lan/list/?series=502313","date":"2026-04-30T14:21:53","name":"[iwl-net] ice: reject out-of-range ptype in ice_parser_profile_init","version":1,"mbox":"http://patchwork.ozlabs.org/series/502313/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231294/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231294/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","intel-wired-lan@lists.osuosl.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=osuosl.org header.i=@osuosl.org header.a=rsa-sha256\n header.s=default header.b=ZVKc/Mgp;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=osuosl.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5xFQ6VPDz1xqf\n\tfor ; Fri, 01 May 2026 00:22:02 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id CE41984CDD;\n\tThu, 30 Apr 2026 14:22:00 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id o74ywKFKg7be; Thu, 30 Apr 2026 14:22:00 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 106EC84CD2;\n\tThu, 30 Apr 2026 14:22:00 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id E138318E\n for ; Thu, 30 Apr 2026 14:21:57 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id C72094026A\n for ; Thu, 30 Apr 2026 14:21:57 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id X-_mhguwe0BD for ;\n Thu, 30 Apr 2026 14:21:57 +0000 (UTC)","from mgamail.intel.com (mgamail.intel.com [192.198.163.11])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 0D8094044E\n for ; Thu, 30 Apr 2026 14:21:56 +0000 (UTC)","from fmviesa004.fm.intel.com ([10.60.135.144])\n by fmvoesa105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 30 Apr 2026 07:21:55 -0700","from amlin-019-225.igk.intel.com ([10.102.19.225])\n by fmviesa004.fm.intel.com with ESMTP; 30 Apr 2026 07:21:54 -0700"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=intel-wired-lan-bounces@osuosl.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 106EC84CD2","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0D8094044E"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=osuosl.org;\n\ts=default; t=1777558920;\n\tbh=g6NlEwcDi6WJy6GLs/qxLldlfZfJsbFuOm7fXsHr43g=;\n\th=From:To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=ZVKc/Mgpbg13mj1nZHl4jfJjIvb+prq9pY6DgFtxOnFVWSnvQJ0FV5cgtiTgBFgfb\n\t GQ5tqXVMnwUTBOQrXKlKgpch2OFioyhNzM6ecJQeKjX7tffXTiuLYRXzdkVBlm4L19\n\t zcjMQxRU5wd16Zk7givnbImfgPj7QR68MafaO9Ifk4e/Iq2i2pAD8IfZoyUBf71bdn\n\t LZ0EamuA0p68p48l44rE1gmeejLiIe/7XQgtrntqj97OnZ9KHogQdeXF/uKlsXdal/\n\t dYBkCtLHnAVXvA+KlRcGFPVBcOb+Csg60GA5hCMwn4aeH+z7DOO0IAJzdWvT0BrvsQ\n\t Me37qRwE2wtMQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=192.198.163.11;\n helo=mgamail.intel.com; envelope-from=aleksandr.loktionov@intel.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 0D8094044E","X-CSE-ConnectionGUID":["vmtwqMbxTV6dI3BsTs4HZA==","wa+JDUS8Qh25A3rGOjwIWA=="],"X-CSE-MsgGUID":["3pTTpnowQL6osyqydmMeVQ==","+6CKxlaFR/W8YI6VBDFvRA=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11772\"; a=\"89105266\"","E=Sophos;i=\"6.23,208,1770624000\"; d=\"scan'208\";a=\"89105266\"","E=Sophos;i=\"6.23,208,1770624000\"; d=\"scan'208\";a=\"236382905\""],"X-ExtLoop1":"1","From":"Aleksandr Loktionov ","To":"intel-wired-lan@lists.osuosl.org, anthony.l.nguyen@intel.com,\n aleksandr.loktionov@intel.com","Cc":"netdev@vger.kernel.org","Date":"Thu, 30 Apr 2026 16:21:53 +0200","Message-ID":"<20260430142153.249062-1-aleksandr.loktionov@intel.com>","X-Mailer":"git-send-email 2.52.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1777558917; x=1809094917;\n h=from:to:cc:subject:date:message-id:mime-version:\n content-transfer-encoding;\n bh=DCJwLVpYE8Oxc/iSi+wYoHkqwCDP0eV6aMqtwc865HA=;\n b=NlSaP/ZohNxAaC072QWzj/oXRB3kKyHQAF+H7p20U/yn7Bpc6XcdU5fQ\n 8lhh5cUcP78puaGfc0jQicM8UOlPwk6c1U2NAPBwRxtDruO5ENp80FDNP\n qUyZXbXvzG1AFgUda7E9vMIWEPefJJAU6iDOWKrmxFmug0+xCM0Z5k7gC\n Zuekdq3DBGtKVuGw23jZfl/hoj/yAKCdfO3NcJBAeqlfDGRUK4zjiFn06\n x50QzaAU767b8w2cE4hIzURcLmduCzdaiIdOJqPKcjqJNtoRK555Ay8ss\n oV8bUICZKY3NIkPT/wQ5r261Id3EAJmXy5r315BXn9y6gbs0mkFlLhwBM\n A==;","X-Mailman-Original-Authentication-Results":["smtp2.osuosl.org;\n dmarc=pass (p=none dis=none)\n header.from=intel.com","smtp2.osuosl.org;\n dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com\n header.a=rsa-sha256 header.s=Intel header.b=NlSaP/Zo"],"Subject":"[Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-range ptype in\n ice_parser_profile_init","X-BeenThere":"intel-wired-lan@osuosl.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Intel Wired Ethernet Linux Kernel Driver Development\n ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"intel-wired-lan-bounces@osuosl.org","Sender":"\"Intel-wired-lan\" "},"content":"set_bit(rslt->ptype, prof->ptypes) operates on a DECLARE_BITMAP of\nICE_FLOW_PTYPE_MAX (1024) bits. Nothing prevents a malicious VF from\nproviding ptype >= 1024 through VIRTCHNL, resulting in a write past\nthe end of the bitmap and a kernel page fault.\n\nReproduced with a custom kernel module injecting a crafted\nVIRTCHNL_OP_ADD_RSS_CFG on E810-C QSFP (8086:1592),\nFW 4.91 0x800214af 1.3909.0, ICE COMMS DDP 1.3.53.0,\nkernel 7.1.0-rc1.\n\ncrash_parser: ice_parser_profile_init @ ffffffffc0d61b60\ncrash_parser: setting ptype=0xffff (max valid=1023)\ncrash_parser: calling ice_parser_profile_init -- expect OOB crash!\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0002) - not-present page\nOops: Oops: 0002 [#1] SMP NOPTI\nCPU: 56 UID: 0 PID: 165011 Comm: insmod Kdump: loaded Tainted: G S U OE 7.1.0-rc1 #1\nHardware name: Intel Corporation S2600BPB/S2600BPB\nRIP: 0010:ice_parser_profile_init+0x2d/0x1d0 [ice]\nCall Trace:\n \n ? __pfx_ice_parser_profile_init+0x10/0x10 [ice]\n crash_init+0x127/0xff0 [crash_parser]\n do_one_initcall+0x45/0x310\n do_init_module+0x64/0x270\n init_module_from_file+0xcc/0xf0\n idempotent_init_module+0x17b/0x280\n __x64_sys_finit_module+0x6e/0xe0\n\nBail out early with -EINVAL when ptype is out of range.\n\nFixes: e312b3a1e209 (\"ice: add API for parser profile initialization\")\nCc: stable@vger.kernel.org\nSigned-off-by: Aleksandr Loktionov \n---\n drivers/net/ethernet/intel/ice/ice_parser.c | 3 +++\n 1 file changed, 3 insertions(+)","diff":"diff --git a/drivers/net/ethernet/intel/ice/ice_parser.c b/drivers/net/ethernet/intel/ice/ice_parser.c\nindex f8e6963..3ede4c1 100644\n--- a/drivers/net/ethernet/intel/ice/ice_parser.c\n+++ b/drivers/net/ethernet/intel/ice/ice_parser.c\n@@ -2368,6 +2368,9 @@ int ice_parser_profile_init(struct ice_parser_result *rslt,\n \tu16 proto_off = 0;\n \tu16 off;\n \n+\tif (rslt->ptype >= ICE_FLOW_PTYPE_MAX)\n+\t\treturn -EINVAL;\n+\n \tmemset(prof, 0, sizeof(*prof));\n \tset_bit(rslt->ptype, prof->ptypes);\n \tif (blk == ICE_BLK_SW) {\n","prefixes":["iwl-net"]}