CVE-2025-39949

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> qed: Don&amp;#39;t collect too many protection override GRC elements<br /> <br /> In the protection override dump path, the firmware can return far too<br /> many GRC elements, resulting in attempting to write past the end of the<br /> previously-kmalloc&amp;#39;ed dump buffer.<br /> <br /> This will result in a kernel panic with reason:<br /> <br /> BUG: unable to handle kernel paging request at ADDRESS<br /> <br /> where "ADDRESS" is just past the end of the protection override dump<br /> buffer. The start address of the buffer is:<br /> p_hwfn-&gt;cdev-&gt;dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf<br /> and the size of the buffer is buf_size in the same data structure.<br /> <br /> The panic can be arrived at from either the qede Ethernet driver path:<br /> <br /> [exception RIP: qed_grc_dump_addr_range+0x108]<br /> qed_protection_override_dump at ffffffffc02662ed [qed]<br /> qed_dbg_protection_override_dump at ffffffffc0267792 [qed]<br /> qed_dbg_feature at ffffffffc026aa8f [qed]<br /> qed_dbg_all_data at ffffffffc026b211 [qed]<br /> qed_fw_fatal_reporter_dump at ffffffffc027298a [qed]<br /> devlink_health_do_dump at ffffffff82497f61<br /> devlink_health_report at ffffffff8249cf29<br /> qed_report_fatal_error at ffffffffc0272baf [qed]<br /> qede_sp_task at ffffffffc045ed32 [qede]<br /> process_one_work at ffffffff81d19783<br /> <br /> or the qedf storage driver path:<br /> <br /> [exception RIP: qed_grc_dump_addr_range+0x108]<br /> qed_protection_override_dump at ffffffffc068b2ed [qed]<br /> qed_dbg_protection_override_dump at ffffffffc068c792 [qed]<br /> qed_dbg_feature at ffffffffc068fa8f [qed]<br /> qed_dbg_all_data at ffffffffc0690211 [qed]<br /> qed_fw_fatal_reporter_dump at ffffffffc069798a [qed]<br /> devlink_health_do_dump at ffffffff8aa95e51<br /> devlink_health_report at ffffffff8aa9ae19<br /> qed_report_fatal_error at ffffffffc0697baf [qed]<br /> qed_hw_err_notify at ffffffffc06d32d7 [qed]<br /> qed_spq_post at ffffffffc06b1011 [qed]<br /> qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed]<br /> qedf_cleanup_fcport at ffffffffc05e7597 [qedf]<br /> qedf_rport_event_handler at ffffffffc05e7bf7 [qedf]<br /> fc_rport_work at ffffffffc02da715 [libfc]<br /> process_one_work at ffffffff8a319663<br /> <br /> Resolve this by clamping the firmware&amp;#39;s return value to the maximum<br /> number of legal elements the firmware should return.