From: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Jason Gunthorpe <jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
RDMA mailing list
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Alaa Hleihel <alaa-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Noa Osherovich <noaos-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: [PATCH rdma-rc 03/15] IB/uverbs: Always the attribute size provided by the user
Date: Tue, 13 Feb 2018 12:18:29 +0200 [thread overview]
Message-ID: <20180213101841.20101-4-leon@kernel.org> (raw)
In-Reply-To: <20180213101841.20101-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
From: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
This fixes several bugs around the copy_to/from user path:
- copy_to used the user provided size of the attribute
and could copy data beyond the end of the kernel buffer into
userspace.
- copy_from didn't know the size of the kernel buffer and
could have left kernel memory unexpectedly un-initialized.
- copy_from did not use the user length to determine if the
attribute data is inlined or not.
Signed-off-by: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Jason Gunthorpe <jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
---
drivers/infiniband/core/uverbs_std_types.c | 5 +++--
include/rdma/uverbs_ioctl.h | 35 ++++++++++++++++++++++++------
2 files changed, 31 insertions(+), 9 deletions(-)
diff --git a/drivers/infiniband/core/uverbs_std_types.c b/drivers/infiniband/core/uverbs_std_types.c
index cab0ac3556eb..c6502c7b7c46 100644
--- a/drivers/infiniband/core/uverbs_std_types.c
+++ b/drivers/infiniband/core/uverbs_std_types.c
@@ -323,7 +323,8 @@ static int uverbs_create_cq_handler(struct ib_device *ib_dev,
cq->res.type = RDMA_RESTRACK_CQ;
rdma_restrack_add(&cq->res);
- ret = uverbs_copy_to(attrs, CREATE_CQ_RESP_CQE, &cq->cqe);
+ ret = uverbs_copy_to(attrs, CREATE_CQ_RESP_CQE, &cq->cqe,
+ sizeof(cq->cqe));
if (ret)
goto err_cq;
@@ -375,7 +376,7 @@ static int uverbs_destroy_cq_handler(struct ib_device *ib_dev,
resp.comp_events_reported = obj->comp_events_reported;
resp.async_events_reported = obj->async_events_reported;
- return uverbs_copy_to(attrs, DESTROY_CQ_RESP, &resp);
+ return uverbs_copy_to(attrs, DESTROY_CQ_RESP, &resp, sizeof(resp));
}
static DECLARE_UVERBS_METHOD(
diff --git a/include/rdma/uverbs_ioctl.h b/include/rdma/uverbs_ioctl.h
index 6da44079aa58..32cb14703914 100644
--- a/include/rdma/uverbs_ioctl.h
+++ b/include/rdma/uverbs_ioctl.h
@@ -351,29 +351,50 @@ static inline const struct uverbs_attr *uverbs_attr_get(const struct uverbs_attr
}
static inline int uverbs_copy_to(const struct uverbs_attr_bundle *attrs_bundle,
- size_t idx, const void *from)
+ size_t idx, const void *from, size_t size)
{
const struct uverbs_attr *attr = uverbs_attr_get(attrs_bundle, idx);
u16 flags;
+ size_t min_size;
if (IS_ERR(attr))
return PTR_ERR(attr);
+ min_size = min_t(size_t, attr->ptr_attr.len, size);
+ if (copy_to_user(attr->ptr_attr.ptr, from, min_size))
+ return -EFAULT;
+
flags = attr->ptr_attr.flags | UVERBS_ATTR_F_VALID_OUTPUT;
- return (!copy_to_user(attr->ptr_attr.ptr, from, attr->ptr_attr.len) &&
- !put_user(flags, &attr->uattr->flags)) ? 0 : -EFAULT;
+ if (put_user(flags, &attr->uattr->flags))
+ return -EFAULT;
+
+ return 0;
}
-static inline int _uverbs_copy_from(void *to, size_t to_size,
+static inline bool uverbs_attr_ptr_is_inline(const struct uverbs_attr *attr)
+{
+ return attr->ptr_attr.len <= sizeof(attr->ptr_attr.data);
+}
+
+static inline int _uverbs_copy_from(void *to,
const struct uverbs_attr_bundle *attrs_bundle,
- size_t idx)
+ size_t idx,
+ size_t size)
{
const struct uverbs_attr *attr = uverbs_attr_get(attrs_bundle, idx);
if (IS_ERR(attr))
return PTR_ERR(attr);
- if (to_size <= sizeof(((struct ib_uverbs_attr *)0)->data))
+ /*
+ * Validation ensures attr->ptr_attr.len >= size. If the caller is
+ * using UVERBS_ATTR_SPEC_F_MIN_SZ then it must call copy_from with
+ * the right size.
+ */
+ if (unlikely(size < attr->ptr_attr.len))
+ return -EINVAL;
+
+ if (uverbs_attr_ptr_is_inline(attr))
memcpy(to, &attr->ptr_attr.data, attr->ptr_attr.len);
else if (copy_from_user(to, attr->ptr_attr.ptr, attr->ptr_attr.len))
return -EFAULT;
@@ -382,7 +403,7 @@ static inline int _uverbs_copy_from(void *to, size_t to_size,
}
#define uverbs_copy_from(to, attrs_bundle, idx) \
- _uverbs_copy_from(to, sizeof(*(to)), attrs_bundle, idx)
+ _uverbs_copy_from(to, attrs_bundle, idx, sizeof(*to))
/* =================================================
* Definitions -> Specs infrastructure
--
2.16.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-13 10:18 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-13 10:18 [PATCH rdma-rc 00/15] RDMA fixes for v4.16 Leon Romanovsky
[not found] ` <20180213101841.20101-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 10:18 ` [PATCH rdma-rc 01/15] IB/ipoib: Do not warn if IPoIB debugfs doesn't exist Leon Romanovsky
[not found] ` <20180213101841.20101-2-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:06 ` Dennis Dalessandro
[not found] ` <a95eace1-2e3e-e97a-cbaa-ca58771e5cff-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 18:12 ` Leon Romanovsky
[not found] ` <20180213181205.GV2197-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2018-02-13 18:45 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 02/15] RDMA/restrack: Remove unimplemented XRCD object Leon Romanovsky
[not found] ` <20180213101841.20101-3-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:00 ` Dennis Dalessandro
[not found] ` <7e464caf-6875-9232-be9a-31324b03323f-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 18:09 ` Leon Romanovsky
[not found] ` <20180213180956.GU2197-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2018-02-13 18:16 ` Dennis Dalessandro
2018-02-13 10:18 ` Leon Romanovsky [this message]
2018-02-13 10:18 ` [PATCH rdma-rc 04/15] IB/uverbs: Use inline data transfer for UHW_IN Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 05/15] IB/uverbs: Use u64_to_user_ptr() not a union Leon Romanovsky
[not found] ` <20180213101841.20101-6-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:10 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 06/15] IB/uverbs: Fix method merging in uverbs_ioctl_merge Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 07/15] IB/uverbs: Use __aligned_u64 for uapi headers Leon Romanovsky
[not found] ` <20180213101841.20101-8-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:12 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 08/15] IB/uverbs: Add ioctl support for 32bit processes Leon Romanovsky
[not found] ` <20180213101841.20101-9-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:56 ` Dennis Dalessandro
[not found] ` <f77173f4-703b-b5ec-06ad-24263805251d-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:16 ` Jason Gunthorpe
[not found] ` <20180213171632.GI4499-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2018-02-14 11:31 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 09/15] IB/uverbs: Fix possible oops with duplicate ioctl attributes Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 10/15] IB/uverbs: Hold the uobj write lock after allocate Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 11/15] RDMA/uverbs: Protect from races between lookup and destroy of uobjects Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 12/15] IB/uverbs: Tidy lockdep_check Leon Romanovsky
[not found] ` <20180213101841.20101-13-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:10 ` Dennis Dalessandro
[not found] ` <1120b3ff-8cb4-d661-60b1-e1f7656840fd-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:23 ` Jason Gunthorpe
2018-02-13 10:18 ` [PATCH rdma-rc 13/15] IB/uverbs: Tidy uverbs_uobject_add Leon Romanovsky
[not found] ` <20180213101841.20101-14-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:09 ` Dennis Dalessandro
[not found] ` <c43bec28-0437-961e-fe65-55886973b6da-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:20 ` Jason Gunthorpe
[not found] ` <20180213172041.GJ4499-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2018-02-13 18:44 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 14/15] IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy Leon Romanovsky
[not found] ` <20180213101841.20101-15-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:11 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 15/15] RDMA/uverbs: Protect from command mask overflow Leon Romanovsky
2018-02-15 22:26 ` [PATCH rdma-rc 00/15] RDMA fixes for v4.16 Jason Gunthorpe
2018-02-15 22:30 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180213101841.20101-4-leon@kernel.org \
--to=leon-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=alaa-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=noaos-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.