lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 4 Apr 2021 16:15:35 +0300
From:   Leon Romanovsky <leon@...nel.org>
To:     Mark Bloch <mbloch@...dia.com>
Cc:     Dan Carpenter <dan.carpenter@...cle.com>,
        Doug Ledford <dledford@...hat.com>,
        Jason Gunthorpe <jgg@...pe.ca>,
        Mark Bloch <markb@...lanox.com>, linux-rdma@...r.kernel.org,
        linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] RDMA/addr: potential uninitialized variable in
 ib_nl_process_good_ip_rsep()

On Sun, Apr 04, 2021 at 04:13:17PM +0300, Mark Bloch wrote:
> On 4/4/21 1:33 PM, Leon Romanovsky wrote:
> > On Fri, Apr 02, 2021 at 02:47:23PM +0300, Dan Carpenter wrote:
> >> The nla_len() is less than or equal to 16.  If it's less than 16 then
> >> end of the "gid" buffer is uninitialized.
> >>
> >> Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
> >> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> >> ---
> >> I just spotted this in review.  I think it's a bug but I'm not 100%.
> > 
> > I tend to agree with you, that it is a bug.
> > 
> > LS_NLA_TYPE_DGID is declared as NLA_BINARY which doesn't complain if
> > data is less than declared ".len". However, the fix needs to be in
> > ib_nl_is_good_ip_resp(), it shouldn't return "true" if length not equal
> > to 16.
> 
> What about just updating the policy? The bellow diff should work I believe.

I didn't know about ".validation_type", but yes this change will be enough.

> 
> diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
> index 0abce004a959..65e3e7df8a4b 100644
> --- a/drivers/infiniband/core/addr.c
> +++ b/drivers/infiniband/core/addr.c
> @@ -76,7 +76,9 @@ static struct workqueue_struct *addr_wq;
>  
>  static const struct nla_policy ib_nl_addr_policy[LS_NLA_TYPE_MAX] = {
>         [LS_NLA_TYPE_DGID] = {.type = NLA_BINARY,
> -               .len = sizeof(struct rdma_nla_ls_gid)},
> +               .len = sizeof(struct rdma_nla_ls_gid),
> +               .validation_type = NLA_VALIDATE_MIN,
> +               .min = sizeof(struct rdma_nla_ls_gid)},
>  };
>  
>  static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
> 
> > 
> > Thanks
> > 
> 
> Mark

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ