lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 4 Apr 2021 16:13:17 +0300
From:   Mark Bloch <mbloch@...dia.com>
To:     Leon Romanovsky <leon@...nel.org>,
        Dan Carpenter <dan.carpenter@...cle.com>
CC:     Doug Ledford <dledford@...hat.com>, Jason Gunthorpe <jgg@...pe.ca>,
        "Mark Bloch" <markb@...lanox.com>, <linux-rdma@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <kernel-janitors@...r.kernel.org>
Subject: Re: [PATCH] RDMA/addr: potential uninitialized variable in
 ib_nl_process_good_ip_rsep()

On 4/4/21 1:33 PM, Leon Romanovsky wrote:
> On Fri, Apr 02, 2021 at 02:47:23PM +0300, Dan Carpenter wrote:
>> The nla_len() is less than or equal to 16.  If it's less than 16 then
>> end of the "gid" buffer is uninitialized.
>>
>> Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
>> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
>> ---
>> I just spotted this in review.  I think it's a bug but I'm not 100%.
> 
> I tend to agree with you, that it is a bug.
> 
> LS_NLA_TYPE_DGID is declared as NLA_BINARY which doesn't complain if
> data is less than declared ".len". However, the fix needs to be in
> ib_nl_is_good_ip_resp(), it shouldn't return "true" if length not equal
> to 16.

What about just updating the policy? The bellow diff should work I believe.

diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
index 0abce004a959..65e3e7df8a4b 100644
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -76,7 +76,9 @@ static struct workqueue_struct *addr_wq;
 
 static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = {
        [LS_NLA_TYPE_DGID] = {.type = NLA_BINARY,
-               .len = sizeof(struct rdma_nla_ls_gid)},
+               .len = sizeof(struct rdma_nla_ls_gid),
+               .validation_type = NLA_VALIDATE_MIN,
+               .min = sizeof(struct rdma_nla_ls_gid)},
 };
 
 static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)

> 
> Thanks
> 

Mark

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ