From: Yuval Shaia <yuval.shaia@oracle.com>
To: P J P <ppandit@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Saar Amar <saaramar5@gmail.com>, Li Qiang <liq3ea@163.com>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH 1/5] rdma: check that num_sge does not exceed MAX_SGE
Date: Tue, 11 Dec 2018 16:51:54 +0200 [thread overview]
Message-ID: <20181211145154.GA28105@lap1> (raw)
In-Reply-To: <20181211132642.3027-2-ppandit@redhat.com>
On Tue, Dec 11, 2018 at 06:56:38PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
> to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
> with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
> Add check to avoid it.
>
> Reported-by: Saar Amar <saaramar5@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/rdma/rdma_backend.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
> index d7a4bbd91f..0b3b98a94c 100644
> --- a/hw/rdma/rdma_backend.c
> +++ b/hw/rdma/rdma_backend.c
> @@ -311,8 +311,8 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
> }
>
> pr_dbg("num_sge=%d\n", num_sge);
> - if (!num_sge) {
> - pr_dbg("num_sge=0\n");
> + if (!num_sge || num_sge > MAX_SGE) {
> + pr_dbg("invalid num_sge=%d\n", num_sge);
> comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
Please use VENDOR_ERR_INV_NUM_SGE
> return;
> }
> @@ -390,8 +390,8 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
> }
>
> pr_dbg("num_sge=%d\n", num_sge);
> - if (!num_sge) {
> - pr_dbg("num_sge=0\n");
> + if (!num_sge || num_sge > MAX_SGE) {
> + pr_dbg("invalid num_sge=%d\n", num_sge);
> comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
Ditto.
And since VENDOR_ERR_NO_SGE is no loger used it can be delete.
> return;
> }
> --
> 2.19.2
>
next prev parent reply other threads:[~2018-12-11 14:52 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 13:26 [Qemu-devel] [PATCH 0/5] rdma: various issues in rdma/pvrdma backend P J P
2018-12-11 13:26 ` [Qemu-devel] [PATCH 1/5] rdma: check that num_sge does not exceed MAX_SGE P J P
2018-12-11 14:51 ` Yuval Shaia [this message]
2018-12-11 13:26 ` [Qemu-devel] [PATCH 2/5] pvrdma: add uar_read routine P J P
2018-12-11 15:22 ` Yuval Shaia
2018-12-12 1:22 ` 李强
2018-12-11 13:26 ` [Qemu-devel] [PATCH 3/5] pvrdma: check number of pages when creating rings P J P
2018-12-11 15:38 ` Yuval Shaia
2018-12-11 13:26 ` [Qemu-devel] [PATCH 4/5] pvrdma: release ring object in case of an error P J P
2018-12-11 16:47 ` Yuval Shaia
2018-12-11 17:22 ` Yuval Shaia
2018-12-11 20:14 ` P J P
2018-12-12 9:39 ` P J P
2018-12-12 16:52 ` Yuval Shaia
2018-12-12 18:08 ` Yuval Shaia
2018-12-12 18:37 ` P J P
2018-12-11 13:26 ` [Qemu-devel] [PATCH 5/5] pvrdma: check return value from pvrdma_idx_ring_has_ routines P J P
2018-12-11 17:17 ` Yuval Shaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181211145154.GA28105@lap1 \
--to=yuval.shaia@oracle.com \
--cc=liq3ea@163.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=saaramar5@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.