| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Dec 2022 15:14:42 +0000
From: "lizhijian@...itsu.com" <lizhijian@...itsu.com>
To: "jgg@...pe.ca" <jgg@...pe.ca>, "leon@...nel.org" <leon@...nel.org>,
"zyjzyj2000@...il.com" <zyjzyj2000@...il.com>
CC: "linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"Daisuke Matsuda (Fujitsu)" <matsuda-daisuke@...itsu.com>
Subject: Re: [PATCH] RDMA/rxe: fix possible NULL MR dereference
NOTE: This is for-rc
on 12/2/2022 10:57 PM, Li Zhijian wrote:
> Daisuke mentioned that:
> If responder get a zero-byte RDMA Read request, qp->resp.mr
> is not set in check_rkey(). The mr is NULL in this case, and a NULL pointer
> dereference occurs as shown below.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000010
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 0 P4D 0
> Oops: 0002 [#1] PREEMPT SMP PTI
> CPU: 2 PID: 3622 Comm: python3 Kdump: loaded Not tainted 6.1.0-rc3+ #34
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:__rxe_put+0xc/0x60 [rdma_rxe]
> Code: cc cc cc 31 f6 e8 64 36 1b d3 41 b8 01 00 00 00 44 89 c0 c3 cc cc cc cc 41 89 c0 eb c1 90 0f 1f 44 00 00 41 54 b8 ff ff ff ff <f0> 0f c1 47 10 83 f8 01 74 11 45 31 e4 85 c0 7e 20 44 89 e0 41 5c
> RSP: 0018:ffffb27bc012ce78 EFLAGS: 00010246
> RAX: 00000000ffffffff RBX: ffff9790857b0580 RCX: 0000000000000000
> RDX: ffff979080fe145a RSI: 000055560e3e0000 RDI: 0000000000000000
> RBP: ffff97909c7dd800 R08: 0000000000000001 R09: e7ce43d97f7bed0f
> R10: ffff97908b29c300 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: ffff97908b29c300 R15: 0000000000000000
> FS: 00007f276f7bd740(0000) GS:ffff9792b5c80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000010 CR3: 0000000114230002 CR4: 0000000000060ee0
> Call Trace:
> <IRQ>
> read_reply+0xda/0x310 [rdma_rxe]
> rxe_responder+0x82d/0xe50 [rdma_rxe]
> do_task+0x84/0x170 [rdma_rxe]
> tasklet_action_common.constprop.0+0xa7/0x120
> __do_softirq+0xcb/0x2ac
> do_softirq+0x63/0x90
> </IRQ>
>
> Test mr before dereference it to avoid this problem.
>
> Fixes: b5f9a01fae42 ("RDMA/rxe: Fix mr leak in RESPST_ERR_RNR")
> Reported-by: Daisuke Matsuda <matsuda-daisuke@...itsu.com>
> Signed-off-by: Li Zhijian <lizhijian@...itsu.com>
> ---
> Hope we can catch up with 6.1
> ---
> drivers/infiniband/sw/rxe/rxe_resp.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
> index 693081e813ec..bbb9665c64ad 100644
> --- a/drivers/infiniband/sw/rxe/rxe_resp.c
> +++ b/drivers/infiniband/sw/rxe/rxe_resp.c
> @@ -807,7 +807,8 @@ static enum resp_states read_reply(struct rxe_qp *qp,
> skb = prepare_ack_packet(qp, &ack_pkt, opcode, payload,
> res->cur_psn, AETH_ACK_UNLIMITED);
> if (!skb) {
> - rxe_put(mr);
> + if (mr)
> + rxe_put(mr);
> return RESPST_ERR_RNR;
> }
>
Powered by blists - more mailing lists