> -----Original Message----- > From: Intel-wired-lan <[email protected]> On Behalf Of > Aleksandr Loktionov > Sent: Thursday, April 30, 2026 7:22 AM > To: [email protected]; Nguyen, Anthony L > <[email protected]>; Loktionov, Aleksandr > <[email protected]> > Cc: [email protected] > Subject: [Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-range ptype in > ice_parser_profile_init > > set_bit(rslt->ptype, prof->ptypes) operates on a DECLARE_BITMAP of > ICE_FLOW_PTYPE_MAX (1024) bits. Nothing prevents a malicious VF from > providing ptype >= 1024 through VIRTCHNL, resulting in a write past the end > of the bitmap and a kernel page fault. > > Reproduced with a custom kernel module injecting a crafted > VIRTCHNL_OP_ADD_RSS_CFG on E810-C QSFP (8086:1592), FW 4.91 0x800214af > 1.3909.0, ICE COMMS DDP 1.3.53.0, kernel 7.1.0-rc1. > > crash_parser: ice_parser_profile_init @ ffffffffc0d61b60 > crash_parser: setting ptype=0xffff (max valid=1023) > crash_parser: calling ice_parser_profile_init -- expect OOB crash! > BUG: kernel NULL pointer dereference, address: 0000000000000000 > #PF: supervisor write access in kernel mode > #PF: error_code(0x0002) - not-present page > Oops: Oops: 0002 [#1] SMP NOPTI > CPU: 56 UID: 0 PID: 165011 Comm: insmod Kdump: loaded Tainted: G S U OE > 7.1.0-rc1 #1 Hardware name: Intel Corporation S2600BPB/S2600BPB > RIP: 0010:ice_parser_profile_init+0x2d/0x1d0 [ice] Call Trace: > <TASK> > ? __pfx_ice_parser_profile_init+0x10/0x10 [ice] > crash_init+0x127/0xff0 [crash_parser] > do_one_initcall+0x45/0x310 > do_init_module+0x64/0x270 > init_module_from_file+0xcc/0xf0 > idempotent_init_module+0x17b/0x280 > __x64_sys_finit_module+0x6e/0xe0 > > Bail out early with -EINVAL when ptype is out of range. > > Fixes: e312b3a1e209 ("ice: add API for parser profile initialization") > Cc: [email protected] > Signed-off-by: Aleksandr Loktionov <[email protected]> > --- > drivers/net/ethernet/intel/ice/ice_parser.c | 3 +++ > 1 file changed, 3 insertions(+)
Tested-by: Alexander Nowlin <[email protected]>
