CVE-2025-71087

In the Linux kernel, the following vulnerability has been resolved:

iavf: fix off-by-one issues in iavfconfigrss_reg()

There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers.

Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40EVFQF{HKEY,HLUT}MAXINDEX which is safe since the value is the last valid index.

That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where rss_{key,lut}_size / 4 is the number of dwords, so the last valid index is (rss_{key,lut}_size / 4) - 1. Therefore, using <= accesses one element past the end.

Fix the issues by using < instead of <=, ensuring we do not exceed the bounds.

[1] KASAN splat about rsskeysize off-by-one BUG: KASAN: slab-out-of-bounds in iavfconfigrss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63

CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavfwatchdogtask Call Trace: <TASK> dumpstacklvl+0x6f/0xb0 printreport+0x170/0x4f3 kasanreport+0xe1/0x1a0 iavfconfigrss+0x619/0x800 iavfwatchdogtask+0x2be7/0x3230 processonework+0x7fd/0x1420 workerthread+0x4d1/0xd40 kthread+0x344/0x660 retfromfork+0x249/0x320 retfromforkasm+0x1a/0x30 </TASK>

Allocated by task 63: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 __kasan_kmalloc+0x7f/0x90 _kmallocnoprof+0x246/0x6f0 iavfwatchdogtask+0x28fc/0x3230 processonework+0x7fd/0x1420 workerthread+0x4d1/0xd40 kthread+0x344/0x660 retfromfork+0x249/0x320 retfromforkasm+0x1a/0x30

The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134)

The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc

ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc