| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Sep 2016 13:45:34 +0300
From: Yishai Hadas <yishaih@....mellanox.co.il>
To: Knut Omang <knut.omang@...cle.com>
Cc: Doug Ledford <dledford@...hat.com>, linux-rdma@...r.kernel.org,
linux-kernel@...r.kernel.org, Sean Hefty <sean.hefty@...el.com>,
Hal Rosenstock <hal.rosenstock@...il.com>,
Matan Barak <matanb@...lanox.com>,
Sagi Grimberg <sagi@...mberg.me>,
Yishai Hadas <yishaih@...lanox.com>,
Leon Romanovsky <leonro@...lanox.com>,
Majd Dibbiny <majd@...lanox.com>,
Eran Ben Elisha <eranbe@...lanox.com>,
Or Gerlitz <ogerlitz@...lanox.com>
Subject: Re: [PATCH v2 5/8] ib_uverbs: Add padding to end align
ib_uverbs_reg_mr_resp
On 9/16/2016 9:31 PM, Knut Omang wrote:
> The ib_uverbs_reg_mr_resp structure was not 64 bit end aligned
> as required by the protocol. This causes alignment issues
> if a device specific driver needs to transfer extra response
> arguments.
>
> Avoid breaking backward compatibility by improving the handling
> of the length checking in ib_uverbs_reg_mr to consider the case
> where the kernel has been updated, but user space still has
> the old length without padding.
>
> Signed-off-by: Knut Omang <knut.omang@...cle.com>
> ---
> drivers/infiniband/core/uverbs_cmd.c | 10 ++++++----
> include/uapi/rdma/ib_user_verbs.h | 1 +
> 2 files changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
> index dbc5885..fa8a717 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -967,16 +967,18 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
> struct ib_pd *pd;
> struct ib_mr *mr;
> int ret;
> + size_t resp_size = sizeof resp;
>
> - if (out_len < sizeof resp)
> - return -ENOSPC;
> + if (out_len < resp_size) {
> + resp_size = out_len;
> + }
You don't preserve the minimum response size error checking in your code
(i.e -ENOSPC). We can expect an error if outlen is less than the
offset of rkey in ib_uverbs_reg_mr_resp.
Please note that below call to copy_to_user will succeed as it copies
now based on resp_size and won't return the basic mandatory output.
> if (copy_from_user(&cmd, buf, sizeof cmd))
> return -EFAULT;
>
> INIT_UDATA(&udata, buf + sizeof cmd,
> (unsigned long) cmd.response + sizeof resp,
> - in_len - sizeof cmd, out_len - sizeof resp);
> + in_len - sizeof cmd, out_len - resp_size);
>
> if ((cmd.start & ~PAGE_MASK) != (cmd.hca_va & ~PAGE_MASK))
> return -EINVAL;
> @@ -1030,7 +1032,7 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
> resp.mr_handle = uobj->id;
>
> if (copy_to_user((void __user *) (unsigned long) cmd.response,
> - &resp, sizeof resp)) {
> + &resp, resp_size)) {
> ret = -EFAULT;
> goto err_copy;
> }
> diff --git a/include/uapi/rdma/ib_user_verbs.h b/include/uapi/rdma/ib_user_verbs.h
> index 7f035f4..6b8c9c0 100644
> --- a/include/uapi/rdma/ib_user_verbs.h
> +++ b/include/uapi/rdma/ib_user_verbs.h
> @@ -307,6 +307,7 @@ struct ib_uverbs_reg_mr_resp {
> __u32 mr_handle;
> __u32 lkey;
> __u32 rkey;
> + __u32 reserved;
> };
>
> struct ib_uverbs_rereg_mr {
>
Powered by blists - more mailing lists