From: Raju Rangoju <rajur@chelsio.com>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] rdma/cxgb4: fix some info leaks
Date: Thu, 02 Aug 2018 12:23:38 +0000 [thread overview]
Message-ID: <20180802121117.GA3244@chelsio.com> (raw)
In-Reply-To: <20180802075613.4zu6m6rv2dcumr5l@kili.mountain>
On Thursday, August 08/02/18, 2018 at 10:56:13 +0300, Dan Carpenter wrote:
> In c4iw_create_qp() there are several struct members which potentially
> aren't inintialized like uresp.rq_key. I've fixed this code before in
> in commit ae1fe07f3f42 ("RDMA/cxgb4: Fix stack info leak in
> c4iw_create_qp()") so this time I'm just going to take a big hammer
> approach and memset the whole struct to zero. Hopefully, it will stay
> fixed this time.
>
> In c4iw_create_srq() we don't clear uresp.reserved.
>
> Fixes: 6a0b6174d35a ("rdma/cxgb4: Add support for kernel mode SRQ's")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> These bugs are detected with Smatch btw if you want to go back to fixing
> them yourselves in a more delicate way.
>
> diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
> index 62e2c0d899f5..ba08e0839033 100644
> --- a/drivers/infiniband/hw/cxgb4/qp.c
> +++ b/drivers/infiniband/hw/cxgb4/qp.c
> @@ -2088,6 +2088,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
> goto err_free_sq_db_key;
> }
> }
> + memset(&uresp, 0, sizeof(uresp));
> if (t4_sq_onchip(&qhp->wq.sq)) {
> ma_sync_key_mm = kmalloc(sizeof(*ma_sync_key_mm),
> GFP_KERNEL);
> @@ -2096,8 +2097,7 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
> goto err_free_rq_db_key;
> }
> uresp.flags = C4IW_QPF_ONCHIP;
> - } else
> - uresp.flags = 0;
> + }
> uresp.qid_mask = rhp->rdev.qpmask;
> uresp.sqid = qhp->wq.sq.qid;
> uresp.sq_size = qhp->wq.sq.size;
> @@ -2111,8 +2111,6 @@ struct ib_qp *c4iw_create_qp(struct ib_pd *pd, struct ib_qp_init_attr *attrs,
> if (ma_sync_key_mm) {
> uresp.ma_sync_key = ucontext->key;
> ucontext->key += PAGE_SIZE;
> - } else {
> - uresp.ma_sync_key = 0;
> }
> uresp.sq_key = ucontext->key;
> ucontext->key += PAGE_SIZE;
> @@ -2601,6 +2599,7 @@ struct ib_srq *c4iw_create_srq(struct ib_pd *pd, struct ib_srq_init_attr *attrs,
> ret = -ENOMEM;
> goto err_free_srq_key_mm;
> }
> + memset(&uresp, 0, sizeof(uresp));
> uresp.flags = srq->flags;
> uresp.qid_mask = rhp->rdev.qpmask;
> uresp.srqid = srq->wq.qid;
Thanks Dan.
Acked-by: Raju Rangoju <rajur@chelsio.com>
next prev parent reply other threads:[~2018-08-02 12:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-02 7:56 [PATCH] rdma/cxgb4: fix some info leaks Dan Carpenter
2018-08-02 12:23 ` Raju Rangoju [this message]
2018-08-03 2:17 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180802121117.GA3244@chelsio.com \
--to=rajur@chelsio.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.