From: Jason Gunthorpe <jgg@nvidia.com>
To: Michael Bommarito <michael.bommarito@gmail.com>
Cc: Bart Van Assche <bvanassche@acm.org>,
Leon Romanovsky <leon@kernel.org>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] RDMA/srp: bound SRP_RSP sense copy by the received length
Date: Fri, 5 Jun 2026 14:21:11 -0300 [thread overview]
Message-ID: <20260605172111.GA2779759@nvidia.com> (raw)
In-Reply-To: <20260602220457.2542840-1-michael.bommarito@gmail.com>
On Tue, Jun 02, 2026 at 06:04:57PM -0400, Michael Bommarito wrote:
> srp_process_rsp() copies sense data from rsp->data + resp_data_len,
> where resp_data_len is the full 32-bit value supplied by the SRP target
> and is never checked against the number of bytes actually received
> (wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
> at most 96 bytes are copied, but the source offset is not bounded.
>
> A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
> the initiator has logged into can return an SRP_RSP with
> SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
> is allocated at the target-chosen max_ti_iu_len, so the source of the
> sense copy lands past the bytes actually received; with resp_data_len
> near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
>
> Copy the sense data only if it has not been truncated, that is, only if
> the response header, the response data, and the sense region fit within
> the bytes actually received; otherwise drop the sense and log. The
> in-tree iSER and NVMe-RDMA receive paths already bound their parse by
> wc->byte_len; this brings ib_srp into line with them.
>
> Fixes: aef9ec39c40c ("IB: Add SCSI RDMA Protocol (SRP) initiator")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
> Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Applied with Bart's request
In future please be careful, maybe your AI hallucinated the fixes
line, it should be:
Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Jason
prev parent reply other threads:[~2026-06-05 17:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 22:04 [PATCH v2] RDMA/srp: bound SRP_RSP sense copy by the received length Michael Bommarito
2026-06-03 17:13 ` Bart Van Assche
2026-06-05 17:21 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260605172111.GA2779759@nvidia.com \
--to=jgg@nvidia.com \
--cc=bvanassche@acm.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=michael.bommarito@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.