7.1

CVE-2026-46022

misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()

In the Linux kernel, the following vulnerability has been resolved:

misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()

ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read
when the queue reader or writer index from hardware exceeds
REMOTE_QUEUE_SIZE (60).

A compromised service processor can trigger this by writing an
out-of-range value to the reader or writer MMIO register before
asserting an interrupt. Since writer is re-read from hardware on
every loop iteration, it can also be set to an out-of-range value
after the loop has already started.

The root cause is that get_queue_reader() and get_queue_writer() return
raw readl() values that are passed directly into get_queue_entry(),
which computes:

  queue_begin + reader * sizeof(struct remote_input)

with no bounds check. This unchecked MMIO address is then passed to
memcpy_fromio(), reading 8 bytes from unintended device registers.
For sufficiently large values the address falls outside the PCI BAR
mapping entirely, triggering a machine check exception.

Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of
the loop body, before any call to get_queue_entry(). On an out-of-range
value, reset the reader register to 0 via set_queue_reader() before
breaking, so that normal queue operation can resume if the corrupted
hardware state is transient.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.13 < 5.10.258
LinuxLinux Kernel Version >= 5.11 < 5.15.209
LinuxLinux Kernel Version >= 5.16 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.86
LinuxLinux Kernel Version >= 6.13 < 6.18.27
LinuxLinux Kernel Version >= 6.19 < 7.0.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.042
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b
Patch
https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841
Patch
https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107
Patch
https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9
Patch
https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84
Patch
https://git.kernel.org/stable/c/6f6ecc9153df176e956d0664b56f93080b0a45f0
Patch
https://git.kernel.org/stable/c/bac8643486f854dd53af9b23aea7dbbd9b7c1865
Patch
https://git.kernel.org/stable/c/f7e5b4eefd7be3e09f8bd5fee63ed478fd7446ab
Patch