From b16f032fa0ca95efc55f00bac7e28dd40dfdd63d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 27 Apr 2026 10:48:17 -0600 Subject: [PATCH] 5.10-stable patches added patches: firmware-google-framebuffer-do-not-mark-framebuffer-as-busy.patch ibmasm-fix-heap-over-read-in-ibmasm_send_i2o_message.patch ibmasm-fix-oob-reads-in-command_file_write-due-to-missing-size-checks.patch misc-ibmasm-fix-oob-mmio-read-in-ibmasm_handle_mouse_interrupt.patch --- ...ffer-do-not-mark-framebuffer-as-busy.patch | 47 ++++++++++++ ...over-read-in-ibmasm_send_i2o_message.patch | 72 +++++++++++++++++++ ...ile_write-due-to-missing-size-checks.patch | 59 +++++++++++++++ ...ead-in-ibmasm_handle_mouse_interrupt.patch | 62 ++++++++++++++++ queue-5.10/series | 4 ++ 5 files changed, 244 insertions(+) create mode 100644 queue-5.10/firmware-google-framebuffer-do-not-mark-framebuffer-as-busy.patch create mode 100644 queue-5.10/ibmasm-fix-heap-over-read-in-ibmasm_send_i2o_message.patch create mode 100644 queue-5.10/ibmasm-fix-oob-reads-in-command_file_write-due-to-missing-size-checks.patch create mode 100644 queue-5.10/misc-ibmasm-fix-oob-mmio-read-in-ibmasm_handle_mouse_interrupt.patch diff --git a/queue-5.10/firmware-google-framebuffer-do-not-mark-framebuffer-as-busy.patch b/queue-5.10/firmware-google-framebuffer-do-not-mark-framebuffer-as-busy.patch new file mode 100644 index 0000000000..6272c665f0 --- /dev/null +++ b/queue-5.10/firmware-google-framebuffer-do-not-mark-framebuffer-as-busy.patch @@ -0,0 +1,47 @@ +From f3850d399de3b6142b02315227ef9e772ed0c302 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Tue, 17 Feb 2026 16:56:12 +0100 +Subject: firmware: google: framebuffer: Do not mark framebuffer as busy + +From: Thomas Zimmermann + +commit f3850d399de3b6142b02315227ef9e772ed0c302 upstream. + +Remove the flag IORESOURCE_BUSY flag from coreboot's framebuffer +resource. It prevents simpledrm from successfully requesting the +range for its own use; resulting in errors such as + +[ 2.775430] simple-framebuffer simple-framebuffer.0: [drm] could not acquire memory region [mem 0x80000000-0x80407fff flags 0x80000200] + +As with other uses of simple-framebuffer, the simple-framebuffer +device should only declare it's I/O resources, but not actively use +them. + +Signed-off-by: Thomas Zimmermann +Fixes: 851b4c14532d ("firmware: coreboot: Add coreboot framebuffer driver") +Acked-by: Tzung-Bi Shih +Acked-by: Julius Werner +Cc: Samuel Holland +Cc: Greg Kroah-Hartman +Cc: Tzung-Bi Shih +Cc: Brian Norris +Cc: Julius Werner +Cc: chrome-platform@lists.linux.dev +Cc: # v4.18+ +Link: https://patch.msgid.link/20260217155836.96267-3-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/google/framebuffer-coreboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/google/framebuffer-coreboot.c ++++ b/drivers/firmware/google/framebuffer-coreboot.c +@@ -50,7 +50,7 @@ static int framebuffer_probe(struct core + return -ENODEV; + + memset(&res, 0, sizeof(res)); +- res.flags = IORESOURCE_MEM | IORESOURCE_BUSY; ++ res.flags = IORESOURCE_MEM; + res.name = "Coreboot Framebuffer"; + res.start = fb->physical_address; + length = PAGE_ALIGN(fb->y_resolution * fb->bytes_per_line); diff --git a/queue-5.10/ibmasm-fix-heap-over-read-in-ibmasm_send_i2o_message.patch b/queue-5.10/ibmasm-fix-heap-over-read-in-ibmasm_send_i2o_message.patch new file mode 100644 index 0000000000..5cd0f2d07c --- /dev/null +++ b/queue-5.10/ibmasm-fix-heap-over-read-in-ibmasm_send_i2o_message.patch @@ -0,0 +1,72 @@ +From 9aad71144fa3682cca3837a06c8623016790e7ec Mon Sep 17 00:00:00 2001 +From: Tyllis Xu +Date: Sat, 14 Mar 2026 11:58:05 -0500 +Subject: ibmasm: fix heap over-read in ibmasm_send_i2o_message() + +From: Tyllis Xu + +commit 9aad71144fa3682cca3837a06c8623016790e7ec upstream. + +The ibmasm_send_i2o_message() function uses get_dot_command_size() to +compute the byte count for memcpy_toio(), but this value is derived from +user-controlled fields in the dot_command_header (command_size: u8, +data_size: u16) and is never validated against the actual allocation size. +A root user can write a small buffer with inflated header fields, causing +memcpy_toio() to read up to ~65 KB past the end of the allocation into +adjacent kernel heap, which is then forwarded to the service processor +over MMIO. + +Silently clamping the copy size is not sufficient: if the header fields +claim a larger size than the buffer, the SP receives a dot command whose +own header is inconsistent with the I2O message length, which can cause +the SP to desynchronize. Reject such commands outright by returning +failure. + +Validate command_size before calling get_mfa_inbound() to avoid leaking +an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware +frame from the controller's free pool, and returning without a +corresponding set_mfa_inbound() call would permanently exhaust it. + +Additionally, clamp command_size to I2O_COMMAND_SIZE before the +memcpy_toio() so the MMIO write stays within the I2O message frame, +consistent with the clamping already performed by outgoing_message_size() +for the header field. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Yuhao Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Tyllis Xu +Link: https://patch.msgid.link/20260314165805.548293-1-LivelyCarpet87@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/ibmasm/lowlevel.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/misc/ibmasm/lowlevel.c ++++ b/drivers/misc/ibmasm/lowlevel.c +@@ -19,17 +19,21 @@ static struct i2o_header header = I2O_HE + int ibmasm_send_i2o_message(struct service_processor *sp) + { + u32 mfa; +- unsigned int command_size; ++ size_t command_size; + struct i2o_message *message; + struct command *command = sp->current_command; + ++ command_size = get_dot_command_size(command->buffer); ++ if (command_size > command->buffer_size) ++ return 1; ++ if (command_size > I2O_COMMAND_SIZE) ++ command_size = I2O_COMMAND_SIZE; ++ + mfa = get_mfa_inbound(sp->base_address); + if (!mfa) + return 1; + +- command_size = get_dot_command_size(command->buffer); +- header.message_size = outgoing_message_size(command_size); +- ++ header.message_size = outgoing_message_size((unsigned int)command_size); + message = get_i2o_message(sp->base_address, mfa); + + memcpy_toio(&message->header, &header, sizeof(struct i2o_header)); diff --git a/queue-5.10/ibmasm-fix-oob-reads-in-command_file_write-due-to-missing-size-checks.patch b/queue-5.10/ibmasm-fix-oob-reads-in-command_file_write-due-to-missing-size-checks.patch new file mode 100644 index 0000000000..fdf6a0b5d1 --- /dev/null +++ b/queue-5.10/ibmasm-fix-oob-reads-in-command_file_write-due-to-missing-size-checks.patch @@ -0,0 +1,59 @@ +From 0eb09f737428e482a32a2e31e5e223f2b35a71d3 Mon Sep 17 00:00:00 2001 +From: Tyllis Xu +Date: Sat, 14 Mar 2026 11:53:54 -0500 +Subject: ibmasm: fix OOB reads in command_file_write due to missing size checks + +From: Tyllis Xu + +commit 0eb09f737428e482a32a2e31e5e223f2b35a71d3 upstream. + +The command_file_write() handler allocates a kernel buffer of exactly +count bytes and copies user data into it, but does not validate the +buffer against the dot command protocol before passing it to +get_dot_command_size() and get_dot_command_timeout(). + +Since both the allocation size (count) and the header fields (command_size, +data_size) are independently user-controlled, an attacker can cause +get_dot_command_size() to return a value exceeding the allocation, +triggering OOB reads in get_dot_command_timeout() and an out-of-bounds +memcpy_toio() that leaks kernel heap memory to the service processor. + +Fix with two guards: reject writes smaller than sizeof(struct +dot_command_header) before allocation, then after copying user data +reject commands where the buffer is smaller than the total size declared +by the header (sizeof(header) + command_size + data_size). This ensures +all subsequent header and payload field accesses stay within the buffer. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Yuhao Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Tyllis Xu +Link: https://patch.msgid.link/20260314165355.548119-1-LivelyCarpet87@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/ibmasm/ibmasmfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/misc/ibmasm/ibmasmfs.c ++++ b/drivers/misc/ibmasm/ibmasmfs.c +@@ -303,6 +303,8 @@ static ssize_t command_file_write(struct + return -EINVAL; + if (count == 0 || count > IBMASM_CMD_MAX_BUFFER_SIZE) + return 0; ++ if (count < sizeof(struct dot_command_header)) ++ return -EINVAL; + if (*offset != 0) + return 0; + +@@ -319,6 +321,11 @@ static ssize_t command_file_write(struct + return -EFAULT; + } + ++ if (count < get_dot_command_size(cmd->buffer)) { ++ command_put(cmd); ++ return -EINVAL; ++ } ++ + spin_lock_irqsave(&command_data->sp->lock, flags); + if (command_data->command) { + spin_unlock_irqrestore(&command_data->sp->lock, flags); diff --git a/queue-5.10/misc-ibmasm-fix-oob-mmio-read-in-ibmasm_handle_mouse_interrupt.patch b/queue-5.10/misc-ibmasm-fix-oob-mmio-read-in-ibmasm_handle_mouse_interrupt.patch new file mode 100644 index 0000000000..e612ad028b --- /dev/null +++ b/queue-5.10/misc-ibmasm-fix-oob-mmio-read-in-ibmasm_handle_mouse_interrupt.patch @@ -0,0 +1,62 @@ +From 4b6e6ead556734bdc14024c5f837132b1e7a4b84 Mon Sep 17 00:00:00 2001 +From: Tyllis Xu +Date: Sun, 8 Mar 2026 00:21:08 -0600 +Subject: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() + +From: Tyllis Xu + +commit 4b6e6ead556734bdc14024c5f837132b1e7a4b84 upstream. + +ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read +when the queue reader or writer index from hardware exceeds +REMOTE_QUEUE_SIZE (60). + +A compromised service processor can trigger this by writing an +out-of-range value to the reader or writer MMIO register before +asserting an interrupt. Since writer is re-read from hardware on +every loop iteration, it can also be set to an out-of-range value +after the loop has already started. + +The root cause is that get_queue_reader() and get_queue_writer() return +raw readl() values that are passed directly into get_queue_entry(), +which computes: + + queue_begin + reader * sizeof(struct remote_input) + +with no bounds check. This unchecked MMIO address is then passed to +memcpy_fromio(), reading 8 bytes from unintended device registers. +For sufficiently large values the address falls outside the PCI BAR +mapping entirely, triggering a machine check exception. + +Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of +the loop body, before any call to get_queue_entry(). On an out-of-range +value, reset the reader register to 0 via set_queue_reader() before +breaking, so that normal queue operation can resume if the corrupted +hardware state is transient. + +Reported-by: Yuhao Jiang +Fixes: 278d72ae8803 ("[PATCH] ibmasm driver: redesign handling of remote control events") +Cc: stable@vger.kernel.org +Cc: ychen@northwestern.edu +Signed-off-by: Tyllis Xu +Link: https://patch.msgid.link/20260308062108.258940-1-LivelyCarpet87@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/ibmasm/remote.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/misc/ibmasm/remote.c ++++ b/drivers/misc/ibmasm/remote.c +@@ -177,6 +177,11 @@ void ibmasm_handle_mouse_interrupt(struc + writer = get_queue_writer(sp); + + while (reader != writer) { ++ if (reader >= REMOTE_QUEUE_SIZE || writer >= REMOTE_QUEUE_SIZE) { ++ set_queue_reader(sp, 0); ++ break; ++ } ++ + memcpy_fromio(&input, get_queue_entry(sp, reader), + sizeof(struct remote_input)); + diff --git a/queue-5.10/series b/queue-5.10/series index 48c8a6298b..e8e99ecad7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -139,3 +139,7 @@ alsa-usb-audio-stop-parsing-uac2-rates-at-max_nr_rates.patch alsa-usb-audio-avoid-false-e-mu-sample-rate-notifications.patch alsa-usb-audio-fix-audio-advantage-micro-ii-spdif-switch.patch usb-xhci-make-usb_host_endpoint.hcpriv-survive-endpoint_disable.patch +misc-ibmasm-fix-oob-mmio-read-in-ibmasm_handle_mouse_interrupt.patch +ibmasm-fix-oob-reads-in-command_file_write-due-to-missing-size-checks.patch +ibmasm-fix-heap-over-read-in-ibmasm_send_i2o_message.patch +firmware-google-framebuffer-do-not-mark-framebuffer-as-busy.patch -- 2.47.3