From: Jason Gunthorpe <jgg@nvidia.com>
To: Kai Zen <kai.aizen.dev@gmail.com>
Cc: Abhijit Gangurde <abhijit.gangurde@amd.com>,
Allen Hubbe <allen.hubbe@amd.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] RDMA/ionic: bound node_desc sysfs read with %.64s
Date: Thu, 9 Apr 2026 12:51:25 -0300 [thread overview]
Message-ID: <20260409155125.GA2019081@nvidia.com> (raw)
In-Reply-To: <CALynFi7NAbhDCt1tdaDbf6TnLvAqbaHa6-Wqf6OkzREbA_PAfg@mail.gmail.com>
On Tue, Apr 07, 2026 at 12:20:22PM +0300, Kai Zen wrote:
> node_desc[64] in struct ib_device is not guaranteed to be NUL-
> terminated. The core IB sysfs handler uses "%.64s" for exactly this
> reason (drivers/infiniband/core/sysfs.c:1307), since node_desc_store()
> performs a raw memcpy of up to IB_DEVICE_NODE_DESC_MAX bytes with no
> NUL termination:
>
> memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
>
> If exactly 64 bytes are written via the node_desc sysfs file, the
> array contains no NUL byte. The ionic hca_type_show() handler uses
> unbounded "%s" and will read past the end of node_desc into adjacent
> fields of struct ib_device until it encounters a NUL.
>
> Match the core handler and bound the format specifier.
>
> Verified against torvalds/linux.git master at bfe62a45.
>
> Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
> ---
> drivers/infiniband/hw/ionic/ionic_ibdev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Your diff is malformed but I fixed it up and added a Fixes tag.
Thanks,
Jason
prev parent reply other threads:[~2026-04-09 15:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 9:20 [PATCH] RDMA/ionic: bound node_desc sysfs read with %.64s Kai Zen
2026-04-09 15:51 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409155125.GA2019081@nvidia.com \
--to=jgg@nvidia.com \
--cc=abhijit.gangurde@amd.com \
--cc=allen.hubbe@amd.com \
--cc=kai.aizen.dev@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.