From: Jason Gunthorpe <jgg@nvidia.com>
To: Zhenhao Wan <whi4ed0g@gmail.com>
Cc: "Md. Haris Iqbal" <haris.iqbal@ionos.com>,
Jack Wang <jinpu.wang@ionos.com>,
Leon Romanovsky <leon@kernel.org>,
Danil Kipnis <danil.kipnis@cloud.ionos.com>,
Jack Wang <jinpu.wang@cloud.ionos.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuhao Jiang <danisjiang@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg
Date: Tue, 16 Jun 2026 16:07:18 -0300 [thread overview]
Message-ID: <20260616190718.GA3986358@nvidia.com> (raw)
In-Reply-To: <20260612-master-v1-1-70cde5c6fdc9@gmail.com>
On Fri, Jun 12, 2026 at 01:15:54AM +0800, Zhenhao Wan wrote:
> When the server answers an RTRS READ, rdma_write_sg() builds the source
> scatter/gather entry for the IB_WR_RDMA_WRITE that returns data to the
> peer. Its length is taken directly from the wire descriptor:
>
> plist->length = le32_to_cpu(id->rd_msg->desc[0].len);
>
> rd_msg points into the chunk buffer that the remote peer filled via
> RDMA-WRITE-WITH-IMM (rtrs_srv_rdma_done() -> process_io_req() ->
> process_read()), so desc[0].len is attacker-controlled and, before this
> change, was only rejected when zero. The source address is the fixed
> chunk start (dma_addr[msg_id]) and the source lkey is the PD-wide
> local_dma_lkey, which is not tied to the chunk's MR mapping, so the verbs
> layer does not constrain the transfer length to max_chunk_size. msg_id
> and off are bounded against queue_depth and max_chunk_size in
> rtrs_srv_rdma_done(), but desc[0].len is a separate field that was not
> checked against the chunk size.
>
> A peer that advertises desc[0].len larger than max_chunk_size can make
> the posted RDMA write read past the chunk's mapped region. The resulting
> behaviour depends on the IOMMU configuration: with no IOMMU or in
> passthrough mode the read may extend into memory adjacent to the chunk
> and be returned to the peer, which can disclose host memory; with a
> translating IOMMU the out-of-range access is expected to fault and abort
> the connection. In either case the transfer exceeds what the protocol
> permits and is driven by a remote peer.
>
> Reject a descriptor length above max_chunk_size, mirroring the existing
> off >= max_chunk_size bound in rtrs_srv_rdma_done(). Legitimate clients
> do not exceed it: the client sets desc[0].len to its MR length, which is
> capped at the negotiated max_io_size (max_chunk_size - MAX_HDR_SIZE).
>
> Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhenhao Wan <whi4ed0g@gmail.com>
> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Jason
prev parent reply other threads:[~2026-06-16 19:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 17:15 [PATCH] RDMA/rtrs-srv: Bound RDMA-Write length to chunk size in rdma_write_sg Zhenhao Wan
2026-06-12 12:39 ` Haris Iqbal
2026-06-16 19:07 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616190718.GA3986358@nvidia.com \
--to=jgg@nvidia.com \
--cc=danil.kipnis@cloud.ionos.com \
--cc=danisjiang@gmail.com \
--cc=haris.iqbal@ionos.com \
--cc=jinpu.wang@cloud.ionos.com \
--cc=jinpu.wang@ionos.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=whi4ed0g@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.