Re: [PATCH net-next] net: dsa: mxl862xx: don't read out-of-bounds

Next message: Pavel Tikhomirov: "Re: [PATCH] selftests: x86: test_shadow_stack: return KSFT_SKIP when test is skipped"
Previous message: Lorenzo Stoakes (Oracle): "Re: [PATCH v2 01/23] mm/vma: add vma_flags_empty(), vma_flags_and(), vma_flags_diff_pair()"
In reply to: Daniel Golle: "[PATCH net-next] net: dsa: mxl862xx: don't read out-of-bounds"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net-next] net: dsa: mxl862xx: don't read out-of-bounds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Thu Mar 19 2026 - 12:50:41 EST

On Wed, Mar 18, 2026 at 03:07:52AM +0000, Daniel Golle wrote:
> The write loop in mxl862xx_api_wrap() computes the word count as
> (size + 1) / 2, rounding up for odd-sized structs.
>
> On the last iteration of an odd-sized buffer it reads a full __le16
> from data[i], accessing one byte past the end of the caller's struct.
> KASAN catches this as a stack-out-of-bounds read during probe (e.g.
> from mxl862xx_bridge_config_fwd() because of the odd length of
> sizeof(struct mxl862xx_bridge_config) == 49).
>
> The read-back loop already handles this case, it writes only a single
> byte when (i * 2 + 1) == size. The write loop lacked the same guard.
>
> In practice the over-read is harmless: the extra stack byte is sent to
> the firmware which ignores trailing data beyond the command's declared
> payload size.
>
> Apply the same odd-size last-byte handling to the write path: when the
> final word contains only one valid byte, send *(u8 *)&data[i] instead
> of le16_to_cpu(data[i]). This is endian-safe because data is
> __le16-encoded and the low byte is always at the lowest address
> regardless of host byte order.
>
> Signed-off-by: Daniel Golle <daniel@xxxxxxxxxxxxxx>

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>