From: Jason Gunthorpe <jgg@nvidia.com>
To: Junrui Luo <moonafterrain@outlook.com>
Cc: Long Li <longli@microsoft.com>,
Konstantin Taranov <kotaranov@microsoft.com>,
Leon Romanovsky <leon@kernel.org>,
Dexuan Cui <decui@microsoft.com>,
Ajay Sharma <sharmaajay@microsoft.com>,
linux-rdma@vger.kernel.org, linux-hyperv@vger.kernel.org,
linux-kernel@vger.kernel.org, Yuhao Jiang <danisjiang@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] RDMA/mana_ib: validate rx_hash_key_len in mana_ib_create_qp_rss
Date: Tue, 28 Apr 2026 13:02:11 -0300 [thread overview]
Message-ID: <20260428160211.GA2781641@nvidia.com> (raw)
In-Reply-To: <SYBPR01MB7881D40E494BF61A4B298252AF2C2@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Tue, Apr 21, 2026 at 06:50:21PM +0800, Junrui Luo wrote:
> mana_ib_create_qp_rss() passes the user-supplied ucmd.rx_hash_key_len
> directly to mana_ib_cfg_vport_steering(), which uses it as the length
> argument to memcpy(req->hashkey, rx_hash_key, rx_hash_key_len).
>
> A value greater than MANA_HASH_KEY_SIZE leads to an out-of-bounds read
> from the kernel stack and an out-of-bounds write past req->hashkey
> within the kzalloc'd struct mana_cfg_rx_steer_req_v2.
>
> Reject any rx_hash_key_len greater than MANA_HASH_KEY_SIZE.
>
> Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
> drivers/infiniband/hw/mana/qp.c | 7 +++++++
> 1 file changed, 7 insertions(+)
I have a fix for this in my pile of sashiko patches that I prefer, it
is better to put the check in mana_ib_cfg_vport_steering() and not
print.
Jason
prev parent reply other threads:[~2026-04-28 16:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 10:50 [PATCH] RDMA/mana_ib: validate rx_hash_key_len in mana_ib_create_qp_rss Junrui Luo
2026-04-28 16:02 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428160211.GA2781641@nvidia.com \
--to=jgg@nvidia.com \
--cc=danisjiang@gmail.com \
--cc=decui@microsoft.com \
--cc=kotaranov@microsoft.com \
--cc=leon@kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=longli@microsoft.com \
--cc=moonafterrain@outlook.com \
--cc=sharmaajay@microsoft.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.