In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]qed: Don't collect too many protection override GRC elements[EOL][EOL]In the protection override dump path, the firmware can return far too[EOL]many GRC elements, resulting in attempting to write past the end of the[EOL]previously-kmalloc'ed dump buffer.[EOL][EOL]This will result in a kernel panic with reason:[EOL][EOL] BUG: unable to handle kernel paging request at ADDRESS[EOL][EOL]where "ADDRESS" is just past the end of the protection override dump[EOL]buffer. The start address of the buffer is:[EOL] p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf[EOL]and the size of the buffer is buf_size in the same data structure.[EOL][EOL]The panic can be arrived at from either the qede Ethernet driver path:[EOL][EOL] [exception RIP: qed_grc_dump_addr_range+0x108][EOL] qed_protection_override_dump at ffffffffc02662ed [qed][EOL] qed_dbg_protection_override_dump at ffffffffc0267792 [qed][EOL] qed_dbg_feature at ffffffffc026aa8f [qed][EOL] qed_dbg_all_data at ffffffffc026b211 [qed][EOL] qed_fw_fatal_reporter_dump at ffffffffc027298a [qed][EOL] devlink_health_do_dump at ffffffff82497f61[EOL] devlink_health_report at ffffffff8249cf29[EOL] qed_report_fatal_error at ffffffffc0272baf [qed][EOL] qede_sp_task at ffffffffc045ed32 [qede][EOL] process_one_work at ffffffff81d19783[EOL][EOL]or the qedf storage driver path:[EOL][EOL] [exception RIP: qed_grc_dump_addr_range+0x108][EOL] qed_protection_override_dump at ffffffffc068b2ed [qed][EOL] qed_dbg_protection_override_dump at ffffffffc068c792 [qed][EOL] qed_dbg_feature at ffffffffc068fa8f [qed][EOL] qed_dbg_all_data at ffffffffc0690211 [qed][EOL] qed_fw_fatal_reporter_dump at ffffffffc069798a [qed][EOL] devlink_health_do_dump at ffffffff8aa95e51[EOL] devlink_health_report at ffffffff8aa9ae19[EOL] qed_report_fatal_error at ffffffffc0697baf [qed][EOL] qed_hw_err_notify at ffffffffc06d32d7 [qed][EOL] qed_spq_post at ffffffffc06b1011 [qed][EOL] qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed][EOL] qedf_cleanup_fcport at ffffffffc05e7597 [qedf][EOL] qedf_rport_event_handler at ffffffffc05e7bf7 [qedf][EOL] fc_rport_work at ffffffffc02da715 [libfc][EOL] process_one_work at ffffffff8a319663[EOL][EOL]Resolve this by clamping the firmware's return value to the maximum[EOL]number of legal elements the firmware should return.
