'RDMA/cm: Add min length checks to user structure copies'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       git-commits-head
Subject:    RDMA/cm: Add min length checks to user structure copies
From:       Linux Kernel Mailing List <linux-kernel () vger ! kernel ! org>
Date:       2020-07-31 16:42:14
Message-ID: git-mailbomb-linux-master-31142a4ba617f5aa8aefdf1c65561ca30d43f360 () kernel ! org
[Download RAW message or body]

Commit:     31142a4ba617f5aa8aefdf1c65561ca30d43f360
Parent:     92ed301919932f777713b9172e525674157e983d
Refname:    refs/heads/master
Web:        https://git.kernel.org/torvalds/c/31142a4ba617f5aa8aefdf1c65561ca30d43f360
Author:     Jason Gunthorpe <jgg@nvidia.com>
AuthorDate: Fri Jul 24 10:19:29 2020 -0300
Committer:  Jason Gunthorpe <jgg@nvidia.com>
CommitDate: Mon Jul 27 11:50:00 2020 -0300

    RDMA/cm: Add min length checks to user structure copies
    
    These are missing throughout ucma, it harmlessly copies garbage from
    userspace, but in this new code which uses min to compute the copy length
    it can result in uninitialized stack memory. Check for minimum length at
    the very start.
    
      BUG: KMSAN: uninit-value in ucma_connect+0x2aa/0xab0 drivers/infiniband/core/ucma.c:1091
      CPU: 0 PID: 8457 Comm: syz-executor069 Not tainted 5.8.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1df/0x240 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       ucma_connect+0x2aa/0xab0 drivers/infiniband/core/ucma.c:1091
       ucma_write+0x5c5/0x630 drivers/infiniband/core/ucma.c:1764
       do_loop_readv_writev fs/read_write.c:737 [inline]
       do_iter_write+0x710/0xdc0 fs/read_write.c:1020
       vfs_writev fs/read_write.c:1091 [inline]
       do_writev+0x42d/0x8f0 fs/read_write.c:1134
       __do_sys_writev fs/read_write.c:1207 [inline]
       __se_sys_writev+0x9b/0xb0 fs/read_write.c:1204
       __x64_sys_writev+0x4a/0x70 fs/read_write.c:1204
       do_syscall_64+0xb0/0x150 arch/x86/entry/common.c:386
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: 34e2ab57a911 ("RDMA/ucma: Extend ucma_connect to receive ECE parameters")
    Fixes: 0cb15372a615 ("RDMA/cma: Connect ECE to rdma_accept")
    Link: https://lore.kernel.org/r/0-v1-d5b86dab17dc+28c25-ucma_syz_min_jgg@nvidia.com
    Reported-by: syzbot+086ab5ca9eafd2379aa6@syzkaller.appspotmail.com
    Reported-by: syzbot+7446526858b83c8828b2@syzkaller.appspotmail.com
    Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
 drivers/infiniband/core/ucma.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 5b87eee8ccc8..d03dacaef788 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1084,6 +1084,8 @@ static ssize_t ucma_connect(struct ucma_file *file, const char __user *inbuf,
 	size_t in_size;
 	int ret;
 
+	if (in_len < offsetofend(typeof(cmd), reserved))
+		return -EINVAL;
 	in_size = min_t(size_t, in_len, sizeof(cmd));
 	if (copy_from_user(&cmd, inbuf, in_size))
 		return -EFAULT;
@@ -1141,6 +1143,8 @@ static ssize_t ucma_accept(struct ucma_file *file, const char __user *inbuf,
 	size_t in_size;
 	int ret;
 
+	if (in_len < offsetofend(typeof(cmd), reserved))
+		return -EINVAL;
 	in_size = min_t(size_t, in_len, sizeof(cmd));
 	if (copy_from_user(&cmd, inbuf, in_size))
 		return -EFAULT;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic