Home

Description

In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-06-01 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ca1c857e2bb74a9fc0606128334f85316d57067b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b870f652877bfbe321bd0f4096fc37a93296f7b6
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ce57fa439bd1b5d664f334a0c3e3f0e42abb0153
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before fd19eb1c75047a4ed4e855f56cafd704dc3914e0
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before fe31722b0194ff76bf8b461e8bf97a2081147787
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before c1c2417c60dbdca5ebb00462f21ee71c2d7f7083
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9e8f6c9d4ecddda2f28baa1678340286cff3969c
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9aad71144fa3682cca3837a06c8623016790e7ec
affected

Default status
affected

2.6.12
affected

Any version before 2.6.12
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.140 (semver)
unaffected

6.12.86 (semver)
unaffected

6.18.27 (semver)
unaffected

7.0.4 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/ca1c857e2bb74a9fc0606128334f85316d57067b

git.kernel.org/...c/b870f652877bfbe321bd0f4096fc37a93296f7b6

git.kernel.org/...c/ce57fa439bd1b5d664f334a0c3e3f0e42abb0153

git.kernel.org/...c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0

git.kernel.org/...c/fe31722b0194ff76bf8b461e8bf97a2081147787

git.kernel.org/...c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083

git.kernel.org/...c/9e8f6c9d4ecddda2f28baa1678340286cff3969c

git.kernel.org/...c/9aad71144fa3682cca3837a06c8623016790e7ec

cve.org (CVE-2026-46064)

nvd.nist.gov (CVE-2026-46064)

Download JSON