> -----Original Message----- > From: Intel-wired-lan <[email protected]> On Behalf Of Tony > Nguyen > Sent: Friday, June 5, 2026 10:02 PM > To: Loktionov, Aleksandr <[email protected]>; intel-wired- > [email protected] > Cc: [email protected] > Subject: Re: [Intel-wired-lan] [PATCH iwl-net] ice: reject out-of-range ptype > in > ice_parser_profile_init > > > > On 5/27/2026 12:18 AM, Aleksandr Loktionov wrote: > > set_bit(rslt->ptype, prof->ptypes) operates on a DECLARE_BITMAP of > > ICE_FLOW_PTYPE_MAX (1024) bits. Nothing prevents a malicious VF from > > providing ptype >= 1024 through VIRTCHNL, resulting in a write past > > the end of the bitmap and a kernel page fault. > > > > Reproduced with a custom kernel module injecting a crafted > > VIRTCHNL_OP_ADD_RSS_CFG on E810-C QSFP (8086:1592), FW 4.91 > 0x800214af > > 1.3909.0, ICE COMMS DDP 1.3.53.0, kernel 7.1.0-rc1. > > > > crash_parser: ice_parser_profile_init @ ffffffffc0d61b60 > > crash_parser: setting ptype=0xffff (max valid=1023) > > crash_parser: calling ice_parser_profile_init -- expect OOB crash! > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > > #PF: supervisor write access in kernel mode > > #PF: error_code(0x0002) - not-present page > > Oops: Oops: 0002 [#1] SMP NOPTI > > CPU: 56 UID: 0 PID: 165011 Comm: insmod Kdump: loaded Tainted: G S U > > OE 7.1.0-rc1 #1 Hardware name: Intel Corporation S2600BPB/S2600BPB > > RIP: 0010:ice_parser_profile_init+0x2d/0x1d0 [ice] Call Trace: > > <TASK> > > ? __pfx_ice_parser_profile_init+0x10/0x10 [ice] > > crash_init+0x127/0xff0 [crash_parser] > > do_one_initcall+0x45/0x310 > > do_init_module+0x64/0x270 > > init_module_from_file+0xcc/0xf0 > > idempotent_init_module+0x17b/0x280 > > __x64_sys_finit_module+0x6e/0xe0 > > > > Bail out early with -EINVAL when ptype is out of range. > > > > Fixes: e312b3a1e209 ("ice: add API for parser profile initialization") > > Cc: [email protected] > > Signed-off-by: Aleksandr Loktionov <[email protected]> > > --- > > drivers/net/ethernet/intel/ice/ice_parser.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/net/ethernet/intel/ice/ice_parser.c > > b/drivers/net/ethernet/intel/ice/ice_parser.c > > index f8e6963..3ede4c1 100644 > > --- a/drivers/net/ethernet/intel/ice/ice_parser.c > > +++ b/drivers/net/ethernet/intel/ice/ice_parser.c > > @@ -2368,6 +2368,9 @@ int ice_parser_profile_init(struct ice_parser_result
Tested-by: Rafal Romanowski <[email protected]>
