From: Leon Romanovsky <leon@kernel.org>
To: Zhenhao Wan <whi4ed0g@gmail.com>
Cc: "Md. Haris Iqbal" <haris.iqbal@ionos.com>,
Jack Wang <jinpu.wang@ionos.com>, Jason Gunthorpe <jgg@ziepe.ca>,
Danil Kipnis <danil.kipnis@cloud.ionos.com>,
Jack Wang <jinpu.wang@cloud.ionos.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuhao Jiang <danisjiang@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] RDMA/rtrs-srv: Reject usr_len larger than off in process_{read,write}
Date: Wed, 17 Jun 2026 15:10:55 +0300 [thread overview]
Message-ID: <20260617121055.GY327369@unreal> (raw)
In-Reply-To: <20260617-rtrs-srv-usr-len-underflow-v1-1-942e6414150a@gmail.com>
On Wed, Jun 17, 2026 at 12:52:00AM +0800, Zhenhao Wan wrote:
> process_read() and process_write() derive the data length of an I/O
> request as:
>
> usr_len = le16_to_cpu(req->usr_len);
> data_len = off - usr_len;
>
> off comes from the RDMA-Write-with-imm immediate and is only bounded
> above (off < max_chunk_size) in rtrs_srv_rdma_done(). usr_len is read
> from the chunk buffer the remote peer fills over RDMA, so it is peer
> controlled over the full u16 range and is not checked against off.
>
> If a peer sends usr_len > off, the size_t subtraction underflows and
> the pointer data + data_len passed to the ->rdma_ev() callback points
> before the chunk. The in-tree consumer rnbd_srv_rdma_ev() dereferences
> it as the message header (le16_to_cpu(hdr->type)) before validating it;
> this is an out-of-bounds read reachable from a remote peer.
>
> Reject usr_len > off before computing data_len in both paths, via the
> existing send_err_msg path. For a well-formed request off is the total
> length data_len + usr_len, so usr_len <= off holds and valid requests
> are unaffected.
>
> Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhenhao Wan <whi4ed0g@gmail.com>
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
It is already fixed in the commit 54bf38b27afc ("RDMA/rtrs-srv: Fix integer underflow in process_read and process_write")
Thanks
prev parent reply other threads:[~2026-06-17 12:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 16:52 [PATCH] RDMA/rtrs-srv: Reject usr_len larger than off in process_{read,write} Zhenhao Wan
2026-06-17 12:10 ` Leon Romanovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260617121055.GY327369@unreal \
--to=leon@kernel.org \
--cc=danil.kipnis@cloud.ionos.com \
--cc=danisjiang@gmail.com \
--cc=haris.iqbal@ionos.com \
--cc=jgg@ziepe.ca \
--cc=jinpu.wang@cloud.ionos.com \
--cc=jinpu.wang@ionos.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=whi4ed0g@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.