Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

Next message: Val Packett: "Re: [PATCH v5 00/10] drm/msm/dp: Drop the HPD state machine"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net-next v2] net: phy: mxl-gpy: add PHY-level statistics via ethtool"
In reply to: Michael Chan: "Re: [PATCH net v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Tue Mar 17 2026 - 19:22:15 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Sat, 14 Mar 2026 17:41:04 +0800 you wrote:
> The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
> bnxt_async_event_process() uses a firmware-supplied 'type' field
> directly as an index into bp->bs_trace[] without bounds validation.
>
> The 'type' field is a 16-bit value extracted from DMA-mapped completion
> ring memory that the NIC writes directly to host RAM. A malicious or
> compromised NIC can supply any value from 0 to 65535, causing an
> out-of-bounds access into kernel heap memory.
>
> [...]

Here is the summary with links:
- [net,v3] bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
https://git.kernel.org/netdev/net/c/64dcbde7f8f8

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html