CVE-2026-46022

In the Linux kernel, the following vulnerability has been resolved:

misc: ibmasm: fix OOB MMIO read in ibmasm handle mouse interrupt()

ibmasm handle mouse interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE QUEUE SIZE (60).

A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started.

The root cause is that get queue reader() and get queue writer() return raw readl() values that are passed directly into get queue entry(), which computes:

queue begin + reader * sizeof(struct remote input)

with no bounds check. This unchecked MMIO address is then passed to memcpy fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception.

Fix by checking both indices against REMOTE QUEUE SIZE at the top of the loop body, before any call to get queue entry(). On an out-of-range value, reset the reader register to 0 via set queue reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient.