[PATCH security IB/uverbs: Perform validity check for supplied port number in create_ah

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Doug Ledford <dledford@redhat.com>
Cc: Boris Pismenny <borisp@mellanox.com>,
	stable@vger.kernel.org, security@kernel.org,
	Yevgeny Kliteynik <kliteyn@mellanox.com>,
	Tziporet Koren <tziporet@mellanox.com>,
	Alex Polak <alexpo@mellanox.com>
Subject: [PATCH security IB/uverbs: Perform validity check for supplied port number in create_ah
Date: Tue, 27 Jun 2017 15:09:13 +0300	[thread overview]
Message-ID: <20170627120913.14963-1-leon@kernel.org> (raw)

From: Boris Pismenny <borisp@mellanox.com>

The ib_uverbs_create_ah() call receives the port number as part of its
attributes and assumes it is valid. Down on the stack, that parameter
is used to access kernel data structures.

BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313

CPU: 0 PID: 313 Comm: syz-executor Not tainted 4.12.0-rc3+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
Call Trace:
 dump_stack+0x95/0xeb
 print_address_description+0x78/0x290
 kasan_report+0x25f/0x370
 ? ib_uverbs_create_ah+0x6d5/0x7b0
 __asan_report_load4_noabort+0x19/0x20
 ib_uverbs_create_ah+0x6d5/0x7b0
 ? ib_uverbs_post_srq_recv+0x4f0/0x4f0
 ? sched_clock_cpu+0x1b/0x190
 ? sched_clock_cpu+0x1b/0x190
 ? sched_clock_cpu+0x1b/0x190
 ? __lock_acquire+0x9ed/0x14e0
 ib_uverbs_write+0x5a5/0xb20
 ? ib_uverbs_write+0x5a5/0xb20
 ? ib_uverbs_post_srq_recv+0x4f0/0x4f0
 ? ib_uverbs_post_srq_recv+0x4f0/0x4f0
 ? ib_uverbs_open+0x740/0x740
 ? lock_acquire+0x370/0x370
 ? trace_hardirqs_on+0xd/0x10
 ? ldsem_up_read+0x3f/0x70
 ? sched_clock_cpu+0x1b/0x190
 ? sched_clock_cpu+0x1b/0x190
 __vfs_write+0x118/0x580
 ? sched_clock_cpu+0x1b/0x190
 ? ib_uverbs_open+0x740/0x740
 ? __vfs_read+0x560/0x560
 ? lock_acquire+0x370/0x370
 ? __fget+0x4c/0x380
 ? __fget+0x234/0x380
 ? rw_verify_area+0xca/0x290
 vfs_write+0x192/0x490
 SyS_write+0xde/0x1c0
 ? SyS_read+0x1c0/0x1c0
 ? trace_hardirqs_on_thunk+0x1a/0x1c
 entry_SYSCALL_64_fastpath+0x18/0xad
RIP: 0033:0x4471f9
RSP: 002b:00007f44d0379c18 EFLAGS: 00000216 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 00000000004471f9
RDX: 0000000000000018 RSI: 0000000020025000 RDI: 0000000000000003
RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: ffff880014b7ff98
R13: 0000000020025000 R14: 0000000000000003 R15: 00000000ffffffff

Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
Cc: <stable@vger.kernel.org> # v2.6.14+
Cc: <security@kernel.org>
Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
Cc: Tziporet Koren <tziporet@mellanox.com>
Cc: Alex Polak <alexpo@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
---
Hi Doug and Security Team,

How should we proceed with the following patch?

The malicious user (non-root) can send ib_create_ah() comamnd
to exposed /sys/class/infiniband_verbs/uverbs* file. All that is
needed is to provide port number which is out-of-range and it will
kill the system.

There is need to be root to open uverbs* file, but after that those
persmissions can be dropped.

Thanks
---
 drivers/infiniband/core/uverbs_cmd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 70b7fb156414..6065395b6465 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2541,6 +2541,9 @@ ssize_t ib_uverbs_create_ah(struct ib_uverbs_file *file,
 	if (copy_from_user(&cmd, buf, sizeof cmd))
 		return -EFAULT;

+	if (!rdma_is_port_valid(ib_dev, cmd.attr.port_num))
+		return -EINVAL;
+
 	INIT_UDATA(&udata, buf + sizeof(cmd),
 		   (unsigned long)cmd.response + sizeof(resp),
 		   in_len - sizeof(cmd), out_len - sizeof(resp));
--
2.13.1

next             reply	other threads:[~2017-06-27 12:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-27 12:09 Leon Romanovsky [this message]
2017-06-29 16:41 ` [PATCH security IB/uverbs: Perform validity check for supplied port number in create_ah Doug Ledford
2017-06-29 18:16   ` Leon Romanovsky
2017-06-29 18:30     ` Linus Torvalds
2017-06-29 18:40       ` Leon Romanovsky

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:70b7fb15641 dfblob:6065395b646 )
 OR (
bs:"[PATCH security IB/uverbs: Perform validity check for supplied port number in create_ah" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170627120913.14963-1-leon@kernel.org \
    --to=leon@kernel.org \
    --cc=alexpo@mellanox.com \
    --cc=borisp@mellanox.com \
    --cc=dledford@redhat.com \
    --cc=kliteyn@mellanox.com \
    --cc=security@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tziporet@mellanox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.