7.1

CVE-2026-46064

ibmasm: fix heap over-read in ibmasm_send_i2o_message()

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix heap over-read in ibmasm_send_i2o_message()

The ibmasm_send_i2o_message() function uses get_dot_command_size() to
compute the byte count for memcpy_toio(), but this value is derived from
user-controlled fields in the dot_command_header (command_size: u8,
data_size: u16) and is never validated against the actual allocation size.
A root user can write a small buffer with inflated header fields, causing
memcpy_toio() to read up to ~65 KB past the end of the allocation into
adjacent kernel heap, which is then forwarded to the service processor
over MMIO.

Silently clamping the copy size is not sufficient: if the header fields
claim a larger size than the buffer, the SP receives a dot command whose
own header is inconsistent with the I2O message length, which can cause
the SP to desynchronize. Reject such commands outright by returning
failure.

Validate command_size before calling get_mfa_inbound() to avoid leaking
an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware
frame from the controller's free pool, and returning without a
corresponding set_mfa_inbound() call would permanently exhaust it.

Additionally, clamp command_size to I2O_COMMAND_SIZE before the
memcpy_toio() so the MMIO write stays within the I2O message frame,
consistent with the clamping already performed by outgoing_message_size()
for the header field.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.12.1 < 5.10.258
LinuxLinux Kernel Version >= 5.11 < 5.15.209
LinuxLinux Kernel Version >= 5.16 < 6.1.175
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.86
LinuxLinux Kernel Version >= 6.13 < 6.18.27
LinuxLinux Kernel Version >= 6.19 < 7.0.4
LinuxLinux Kernel Version2.6.12 Update-
LinuxLinux Kernel Version2.6.12 Updaterc2
LinuxLinux Kernel Version2.6.12 Updaterc3
LinuxLinux Kernel Version2.6.12 Updaterc4
LinuxLinux Kernel Version2.6.12 Updaterc5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.026
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0
Patch
https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787
Patch
https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083
Patch
https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c
Patch
https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec
Patch
https://git.kernel.org/stable/c/b870f652877bfbe321bd0f4096fc37a93296f7b6
Patch
https://git.kernel.org/stable/c/ca1c857e2bb74a9fc0606128334f85316d57067b
Patch
https://git.kernel.org/stable/c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153
Patch