lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <SA0PR15MB39195D9A37167945185F819F99AC9@SA0PR15MB3919.namprd15.prod.outlook.com>
Date:   Tue, 28 Feb 2023 10:05:29 +0000
From:   Bernard Metzler <BMT@...ich.ibm.com>
To:     Daniil Dulov <d.dulov@...ddin.ru>
CC:     Doug Ledford <dledford@...hat.com>, Jason Gunthorpe <jgg@...pe.ca>,
        "linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "lvc-project@...uxtesting.org" <lvc-project@...uxtesting.org>
Subject: RE:  [PATCH] RDMA/siw: Fix potential page_array out of range access



> -----Original Message-----
> From: Daniil Dulov <d.dulov@...ddin.ru>
> Sent: Monday, 27 February 2023 10:18
> To: Bernard Metzler <BMT@...ich.ibm.com>
> Cc: Daniil Dulov <d.dulov@...ddin.ru>; Doug Ledford <dledford@...hat.com>;
> Jason Gunthorpe <jgg@...pe.ca>; linux-rdma@...r.kernel.org; linux-
> kernel@...r.kernel.org; lvc-project@...uxtesting.org
> Subject: [EXTERNAL] [PATCH] RDMA/siw: Fix potential page_array out of range
> access
> 
> When seg is equal to MAX_ARRAY, the loop should break, otherwise
> it will result in out of range access.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: b9be6f18cf9e ("rdma/siw: transmit path")
> Signed-off-by: Daniil Dulov <d.dulov@...ddin.ru>
> ---
>  drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c
> b/drivers/infiniband/sw/siw/siw_qp_tx.c
> index 3c3ae5ef2942..f9eb314c6e14 100644
> --- a/drivers/infiniband/sw/siw/siw_qp_tx.c
> +++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
> @@ -548,7 +548,7 @@ static int siw_tx_hdt(struct siw_iwarp_tx *c_tx, struct
> socket *s)
>  			data_len -= plen;
>  			fp_off = 0;
> 
> -			if (++seg > (int)MAX_ARRAY) {
> +			if (++seg == (int)MAX_ARRAY) {

Absolutely! For superstitious people like me,
maybe even write '>=' here. Thank you!

>  				siw_dbg_qp(tx_qp(c_tx), "to many fragments\n");
>  				siw_unmap_pages(page_array, kmap_mask);
>  				wqe->processed -= c_tx->bytes_unsent;
> --
> 2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ