From: Jason Gunthorpe <jgg@nvidia.com>
To: "Nikolova, Tatyana E" <tatyana.e.nikolova@intel.com>
Cc: "dledford@redhat.com" <dledford@redhat.com>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
"Saleem, Shiraz" <shiraz.saleem@intel.com>,
"Ismail, Mustafa" <mustafa.ismail@intel.com>,
coverity-bot <keescook+coverity-bot@chromium.org>
Subject: Re: [PATCH rdma-next 1/3] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
Date: Tue, 22 Jun 2021 20:33:36 -0300 [thread overview]
Message-ID: <20210622233336.GH2371267@nvidia.com> (raw)
In-Reply-To: <DM6PR11MB4692C781B07DD976DD9D7C7FCB099@DM6PR11MB4692.namprd11.prod.outlook.com>
On Tue, Jun 22, 2021 at 09:56:42PM +0000, Nikolova, Tatyana E wrote:
> > > switch (req.reg_type) {
> > > case IRDMA_MEMREG_TYPE_QP:
> > > + if (req.sq_pages + req.rq_pages + shadow_pgcnt > iwmr-
> > >page_cnt) {
> >
> > Math on values from userspace should use the check overflow helpers or
> > otherwise be designed to be overflow safe
>
> The mem_reg_req fields sq_pages and rq_pages are u16 and the
> variable shadow_pgcnt is u8. They should be promoted to u32 when
> compared with iwmr->page_cnt which is u32. Isn't this overflow safe?
I didn't check the sizes carefully, and I'm always nervous about
relying on implicit promotion for security properties as it is so
subtle and easy to get screwed up during maintenance
> Is the issue you are mentioning about this line:
> > > + qpmr->shadow = (dma_addr_t)arr[req->sq_pages + req->rq_pages];
I assume this is safe because of the if above?
Jason
next prev parent reply other threads:[~2021-06-22 23:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-22 17:52 [PATCH rdma-next 0/3] irdma coverity fixes Tatyana Nikolova
2021-06-22 17:52 ` [PATCH rdma-next 1/3] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
2021-06-22 17:58 ` Jason Gunthorpe
2021-06-22 21:56 ` Nikolova, Tatyana E
2021-06-22 23:33 ` Jason Gunthorpe [this message]
2021-06-22 17:52 ` [PATCH rdma-next 2/3] RDMA/irdma: Check return value from ib_umem_find_best_pgsz Tatyana Nikolova
2021-06-22 18:28 ` Jason Gunthorpe
2021-06-22 17:52 ` [PATCH rdma-next 3/3] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
2021-06-22 18:07 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210622233336.GH2371267@nvidia.com \
--to=jgg@nvidia.com \
--cc=dledford@redhat.com \
--cc=keescook+coverity-bot@chromium.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mustafa.ismail@intel.com \
--cc=shiraz.saleem@intel.com \
--cc=tatyana.e.nikolova@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.