From: Dust Li <dust.li@linux.alibaba.com>
To: hexlabsecurity@proton.me, "David S. Miller" <davem@davemloft.net>,
Sidraya Jayagond <sidraya@linux.ibm.com>,
Eric Dumazet <edumazet@google.com>,
"D. Wythe" <alibuda@linux.alibaba.com>,
Jakub Kicinski <kuba@kernel.org>, Simon Horman <horms@kernel.org>,
Wenjia Zhang <wenjia@linux.ibm.com>,
Paolo Abeni <pabeni@redhat.com>
Cc: Stefan Raspl <raspl@linux.ibm.com>,
Wen Gu <guwen@linux.alibaba.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
Mahanta Jambigi <mjambigi@linux.ibm.com>,
Tony Lu <tonylu@linux.alibaba.com>,
Ursula Braun <ubraun@linux.ibm.com>,
linux-s390@vger.kernel.org, linux-rdma@vger.kernel.org
Subject: Re: [PATCH net v4 3/3] net/smc: bound the send length to the send buffer in smc_tx_sendmsg()
Date: Wed, 15 Jul 2026 00:20:42 +0800 [thread overview]
Message-ID: <alZh2puH6EMlyE__@linux.alibaba.com> (raw)
In-Reply-To: <20260705-b4-disp-28a1bbca-v4-3-be089b98acc6@proton.me>
On 2026-07-05 02:54:07, Bryam Vargas via B4 Relay wrote:
>From: Bryam Vargas <hexlabsecurity@proton.me>
>
>On the SMC-D DMB-merge (nocopy) path, smc_cdc_msg_recv_action()
>advances conn->sndbuf_space from the peer's wire-controlled consumer
>cursor via smc_curs_diff(), which can return more than sndbuf_desc->len;
>a forged cursor drives sndbuf_space past the send buffer, and over many
>CDC messages overflows the signed counter negative. smc_tx_sendmsg()
>reads it as the write space and does a wrap-around copy whose second
>chunk is not re-bounded to sndbuf_desc->len, spilling the local
>sender's outbound data past the send buffer at a peer-controlled
>length: a heap out-of-bounds write. The nearby len > sndbuf_desc->len
>test only feeds SMC_STAT_RMB_TX_SIZE_SMALL on the user length; it does
>not bound the copy.
>
>Bound the write space to sndbuf_desc->len at the consumer, treating a
>negative (sign-overflowed) value as out of range too, so the copy can
>never exceed the ring. This enforces the documented
>0 <= sndbuf_space <= sndbuf_desc->len invariant where it is race-free
>against the CDC tasklet; conforming peers are unaffected.
>
>Fixes: cc0ab806fc52 ("net/smc: adapt cursor update when sndbuf and peer DMB are merged")
>Cc: stable@vger.kernel.org
>Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Best regards,
Dust
>---
> net/smc/smc_tx.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
>diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c
>index 3144b4b1fe29..5916f02060fb 100644
>--- a/net/smc/smc_tx.c
>+++ b/net/smc/smc_tx.c
>@@ -233,6 +233,19 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len)
> /* initialize variables for 1st iteration of subsequent loop */
> /* could be just 1 byte, even after smc_tx_wait above */
> writespace = atomic_read(&conn->sndbuf_space);
>+ /* sndbuf_space is advanced from the peer's wire-controlled
>+ * consumer cursor on the SMC-D DMB-merge path; a forged cursor
>+ * can inflate it past the send buffer, or overflow the signed
>+ * accumulator to a negative value across many CDC messages
>+ * (which a plain "> len" check would miss before the size_t
>+ * cast below turns it huge). Bound it to the send buffer in
>+ * either case so the wrap-around write cannot run past
>+ * sndbuf_desc->len. This enforces the documented
>+ * 0 <= sndbuf_space <= sndbuf_desc->len invariant at the
>+ * producer, race-free against the CDC tasklet.
>+ */
>+ if (writespace < 0 || writespace > conn->sndbuf_desc->len)
>+ writespace = conn->sndbuf_desc->len;
> /* not more than what user space asked for */
> copylen = min_t(size_t, send_remaining, writespace);
> /* determine start of sndbuf */
>
>--
>2.43.0
>
next prev parent reply other threads:[~2026-07-14 16:20 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 7:54 [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Bryam Vargas
2026-07-05 7:54 ` Bryam Vargas via B4 Relay
2026-07-05 7:54 ` [PATCH net v4 1/3] net/smc: bound the wire-controlled producer cursor to the RMB Bryam Vargas
2026-07-05 7:54 ` Bryam Vargas via B4 Relay
2026-07-06 7:54 ` sashiko-bot
2026-07-14 16:19 ` Dust Li
2026-07-05 7:54 ` [PATCH net v4 2/3] net/smc: bound the receive length to the RMB in smc_rx_recvmsg() Bryam Vargas
2026-07-05 7:54 ` Bryam Vargas via B4 Relay
2026-07-06 7:54 ` sashiko-bot
2026-07-14 16:20 ` Dust Li
2026-07-05 7:54 ` [PATCH net v4 3/3] net/smc: bound the send length to the send buffer in smc_tx_sendmsg() Bryam Vargas
2026-07-05 7:54 ` Bryam Vargas via B4 Relay
2026-07-06 7:54 ` sashiko-bot
2026-07-14 16:20 ` Dust Li [this message]
2026-07-07 9:29 ` [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Dust Li
2026-07-11 10:43 ` Bryam Vargas
2026-07-14 16:18 ` Dust Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alZh2puH6EMlyE__@linux.alibaba.com \
--to=dust.li@linux.alibaba.com \
--cc=alibuda@linux.alibaba.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=guwen@linux.alibaba.com \
--cc=hexlabsecurity@proton.me \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjambigi@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raspl@linux.ibm.com \
--cc=sidraya@linux.ibm.com \
--cc=tonylu@linux.alibaba.com \
--cc=ubraun@linux.ibm.com \
--cc=wenjia@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.