AsahiLinux is potentially affected by CVE-2018-1000026

[FVF-research]

Hi Asahi Linux team,

I'm from a research team that focuses on OSS similar vulnerability detection. Our team observes 1 similar vulnerability in asahi branch. Sorry that we did not find the security policy in this project and have to post the information here.

Vulnerability info:

• CVE-2018-1000026 (7.7 HIGH): Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM.

The relevant patch info:

• ​Commit URL: torvalds@8914a59.
• Patch reference: https://ubuntu.com/security/CVE-2018-1000026

Similar vulnerable function info:

• ​ Path: drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
• ​ Function name: qlcnic_features_check
• Note: the function is the same as the unpatched version in the relevant patch.

Could you help verify that are the functions detected are impacted, and can we directly apply the patches to fix the vulnerabilities?

Thanks,
FVF research team

[nekopsykose]

a) what makes you think qlcnic requires the same workaround as bnx2x? you have presented zero analysis whatsoever
b) what does this have to do with a kernel module that is not even built for the asahi kernel? you should send this to the actual linux kernel bug tracker

[jannau]

Asahi Linux is not affected as it is currently impossibly to use PCI* devices except the built-in ones. PCIe via thunderbolt or the PCIe in the Mac Pro are not yet supported. Asahi Linux is not the proper place to report potential issues in generic linux drivers (especially if it is for HW impossible to use in any Apple silicon device). Please report the issue to the qlcnic maintainers and/or the linux netdev mailing list. See MAINTAINERS in the linux source tree.

[FVF-research]

Thanks for the clarification!

Asahi Linux is not affected as it is currently impossibly to use PCI* devices except the built-in ones. PCIe via thunderbolt or the PCIe in the Mac Pro are not yet supported. Asahi Linux is not the proper place to report potential issues in generic linux drivers (especially if it is for HW impossible to use in any Apple silicon device). Please report the issue to the qlcnic maintainers and/or the linux netdev mailing list. See MAINTAINERS in the linux source tree.