[PATCH net 6/9] ethtool: cmis: require exact CDB reply length

[PATCH net 0/9] ethtool: module: fix a handful of small bugs · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
[PATCH net 1/9] ethtool: module: call ethnl_ops_complete() on module flash errors · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net 1/9] ethtool: module: call ethnl_ops_complete() on module flash errors · Maxime Chevallier <maxime.chevallier@bootlin.com> · 2026-05-23
RE: [PATCH net 1/9] ethtool: module: call ethnl_ops_complete() on module flash errors · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 2/9] ethtool: module: avoid leaking a netdev ref on module flash errors · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net 2/9] ethtool: module: avoid leaking a netdev ref on module flash errors · Maxime Chevallier <maxime.chevallier@bootlin.com> · 2026-05-23
RE: [PATCH net 2/9] ethtool: module: avoid leaking a netdev ref on module flash errors · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 3/9] ethtool: module: avoid racy updates to dev->ethtool bitfield · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net 3/9] ethtool: module: avoid racy updates to dev->ethtool bitfield · Maxime Chevallier <maxime.chevallier@bootlin.com> · 2026-05-23
RE: [PATCH net 3/9] ethtool: module: avoid racy updates to dev->ethtool bitfield · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 4/9] ethtool: module: check fw_flash_in_progress under rtnl_lock · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net 4/9] ethtool: module: check fw_flash_in_progress under rtnl_lock · Maxime Chevallier <maxime.chevallier@bootlin.com> · 2026-05-23
RE: [PATCH net 4/9] ethtool: module: check fw_flash_in_progress under rtnl_lock · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 5/9] ethtool: module: fix cleanup if socket used for flashing multiple devices · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
RE: [PATCH net 5/9] ethtool: module: fix cleanup if socket used for flashing multiple devices · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 6/9] ethtool: cmis: require exact CDB reply length · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
RE: [PATCH net 6/9] ethtool: cmis: require exact CDB reply length · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 7/9] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net 7/9] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl · Maxime Chevallier <maxime.chevallier@bootlin.com> · 2026-05-23
RE: [PATCH net 7/9] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 8/9] ethtool: cmis: validate start_cmd_payload_size from module · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net 8/9] ethtool: cmis: validate start_cmd_payload_size from module · Maxime Chevallier <maxime.chevallier@bootlin.com> · 2026-05-23
RE: [PATCH net 8/9] ethtool: cmis: validate start_cmd_payload_size from module · Danielle Ratson <hidden> · 2026-05-24
[PATCH net 9/9] ethtool: cmis: validate fw->size against start_cmd_payload_size · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net 9/9] ethtool: cmis: validate fw->size against start_cmd_payload_size · Maxime Chevallier <maxime.chevallier@bootlin.com> · 2026-05-23
RE: [PATCH net 9/9] ethtool: cmis: validate fw->size against start_cmd_payload_size · Danielle Ratson <hidden> · 2026-05-24
Re: [PATCH net 0/9] ethtool: module: fix a handful of small bugs · patchwork-bot+netdevbpf@kernel.org · 2026-05-26

COOLING4d

From: Jakub Kicinski <kuba@kernel.org>
Date: 2026-05-22 23:13:27
Subsystem: networking [ethtool], networking [general], the rest · Maintainers: Andrew Lunn, Jakub Kicinski, "David S. Miller", Eric Dumazet, Paolo Abeni, Linus Torvalds

Malicious SFP module could respond with rpl_len longer than
what cmis_cdb_process_reply() expected, leading to OOB writes.
Malicious HW is a bit theoretical but some modules may just
be buggy and/or the reads may occasionally get corrupted,
so let's protect the kernel.

The existing check protects from short replies. We need to
protect from long ones, too. All callers that pass a non-zero
rpl_exp_len cast the reply payload to a fixed-layout struct
and read fields at fixed offsets, with no version negotiation
or short-reply handling:

  - cmis_cdb_validate_password()
  - cmis_cdb_module_features_get()
  - cmis_fw_update_fw_mng_features_get()

so let's assume that responses longer than expected do not
have to be handled gracefully here. Add a warning message
to make the debug easier in case my understanding is wrong...

Note that page_data->length (argument of kmalloc) comes from
last arg to ethtool_cmis_page_init() which is rpl_exp_len.

Note2 that AIs also like to point out overflows in args->req.payload
itself (which is a fixed-size 120 B buffer, on the stack),
but callers should be reading structs defined by the standard,
so protecting from requests for more data than max seem like
defensive programming.

Fixes: a39c84d79625 ("ethtool: cmis_cdb: Add a layer for supporting CDB commands")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
CC: andrew@lunn.ch
CC: kees@kernel.org
CC: danieller@nvidia.com
CC: petrm@nvidia.com
---
 net/ethtool/cmis_cdb.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index 3670ca42dd40..f3a53a984460 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c

@@ -513,8 +513,13 @@ static int cmis_cdb_process_reply(struct net_device *dev,
 	}
 
 	rpl = (struct ethtool_cmis_cdb_rpl *)page_data->data;
-	if ((args->rpl_exp_len > rpl->hdr.rpl_len + rpl_hdr_len) ||
-	    !rpl->hdr.rpl_chk_code) {
+	if (rpl->hdr.rpl_len != args->rpl_exp_len) {
+		netdev_warn(dev, "CDB reply length mismatch, expected %u got %u\n",
+			    args->rpl_exp_len, rpl->hdr.rpl_len);
+		err = -EIO;
+		goto out;
+	}
+	if (!rpl->hdr.rpl_chk_code) {
 		err = -EIO;
 		goto out;
 	}

-- 
2.54.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help