Skip to content

Commit 92998dd

Browse files
jstancekjstancek
committed
Merge: CVE-2025-22104: ibmvnic: Use kernel helpers for hex dumps
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/831 JIRA: https://issues.redhat.com/browse/RHEL-89030 CVE: CVE-2025-22104 ``` commit d93a6ca Author: Nick Child <nnac123@linux.ibm.com> Date: Thu Mar 20 16:29:51 2025 -0500 ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was cast to an 8 byte long and printed using string formatters. If the buffer size was not a multiple of 8 then a read buffer overflow was possible. Therefore, create a new ibmvnic function that loops over a buffer and calls hex_dump_to_buffer instead. This patch address KASAN reports like the one below: ibmvnic 30000003 env3: Login Buffer: ibmvnic 30000003 env3: 01000000af000000 <...> ibmvnic 30000003 env3: 2e6d62692e736261 ibmvnic 30000003 env3: 65050003006d6f63 ================================================================== BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic] Read of size 8 at addr c0000001331a9aa8 by task ip/17681 <...> Allocated by task 17681: <...> ibmvnic_login+0x2f0/0xffc [ibmvnic] ibmvnic_open+0x148/0x308 [ibmvnic] __dev_open+0x1ac/0x304 <...> The buggy address is located 168 bytes inside of allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf) <...> ================================================================= ibmvnic 30000003 env3: 000000000033766e Fixes: 032c5e8 ("Driver for IBM System i/p VNIC protocol") Signed-off-by: Nick Child <nnac123@linux.ibm.com> Reviewed-by: Dave Marquardt <davemarq@linux.ibm.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://patch.msgid.link/20250320212951.11142-1-nnac123@linux.ibm.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>``` Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-04-30 09:20 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small> Approved-by: Kamal Heib <kheib@redhat.com> Approved-by: Michal Schmidt <mschmidt@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Jan Stancek <jstancek@redhat.com>
2 parents 80ab016 + 2670815 commit 92998dd

File tree

1 file changed

+18
-12
lines changed

1 file changed

+18
-12
lines changed

drivers/net/ethernet/ibm/ibmvnic.c

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4832,6 +4832,18 @@ static void vnic_add_client_data(struct ibmvnic_adapter *adapter,
48324832
strscpy(vlcd->name, adapter->netdev->name, len);
48334833
}
48344834

4835+
static void ibmvnic_print_hex_dump(struct net_device *dev, void *buf,
4836+
size_t len)
4837+
{
4838+
unsigned char hex_str[16 * 3];
4839+
4840+
for (size_t i = 0; i < len; i += 16) {
4841+
hex_dump_to_buffer((unsigned char *)buf + i, len - i, 16, 8,
4842+
hex_str, sizeof(hex_str), false);
4843+
netdev_dbg(dev, "%s\n", hex_str);
4844+
}
4845+
}
4846+
48354847
static int send_login(struct ibmvnic_adapter *adapter)
48364848
{
48374849
struct ibmvnic_login_rsp_buffer *login_rsp_buffer;
@@ -4942,10 +4954,8 @@ static int send_login(struct ibmvnic_adapter *adapter)
49424954
vnic_add_client_data(adapter, vlcd);
49434955

49444956
netdev_dbg(adapter->netdev, "Login Buffer:\n");
4945-
for (i = 0; i < (adapter->login_buf_sz - 1) / 8 + 1; i++) {
4946-
netdev_dbg(adapter->netdev, "%016lx\n",
4947-
((unsigned long *)(adapter->login_buf))[i]);
4948-
}
4957+
ibmvnic_print_hex_dump(adapter->netdev, adapter->login_buf,
4958+
adapter->login_buf_sz);
49494959

49504960
memset(&crq, 0, sizeof(crq));
49514961
crq.login.first = IBMVNIC_CRQ_CMD;
@@ -5322,15 +5332,13 @@ static void handle_query_ip_offload_rsp(struct ibmvnic_adapter *adapter)
53225332
{
53235333
struct device *dev = &adapter->vdev->dev;
53245334
struct ibmvnic_query_ip_offload_buffer *buf = &adapter->ip_offload_buf;
5325-
int i;
53265335

53275336
dma_unmap_single(dev, adapter->ip_offload_tok,
53285337
sizeof(adapter->ip_offload_buf), DMA_FROM_DEVICE);
53295338

53305339
netdev_dbg(adapter->netdev, "Query IP Offload Buffer:\n");
5331-
for (i = 0; i < (sizeof(adapter->ip_offload_buf) - 1) / 8 + 1; i++)
5332-
netdev_dbg(adapter->netdev, "%016lx\n",
5333-
((unsigned long *)(buf))[i]);
5340+
ibmvnic_print_hex_dump(adapter->netdev, buf,
5341+
sizeof(adapter->ip_offload_buf));
53345342

53355343
netdev_dbg(adapter->netdev, "ipv4_chksum = %d\n", buf->ipv4_chksum);
53365344
netdev_dbg(adapter->netdev, "ipv6_chksum = %d\n", buf->ipv6_chksum);
@@ -5561,10 +5569,8 @@ static int handle_login_rsp(union ibmvnic_crq *login_rsp_crq,
55615569
netdev->mtu = adapter->req_mtu - ETH_HLEN;
55625570

55635571
netdev_dbg(adapter->netdev, "Login Response Buffer:\n");
5564-
for (i = 0; i < (adapter->login_rsp_buf_sz - 1) / 8 + 1; i++) {
5565-
netdev_dbg(adapter->netdev, "%016lx\n",
5566-
((unsigned long *)(adapter->login_rsp_buf))[i]);
5567-
}
5572+
ibmvnic_print_hex_dump(netdev, adapter->login_rsp_buf,
5573+
adapter->login_rsp_buf_sz);
55685574

55695575
/* Sanity checks */
55705576
if (login->num_txcomp_subcrqs != login_rsp->num_txsubm_subcrqs ||

0 commit comments

Comments
 (0)