All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dust Li <dust.li@linux.alibaba.com>
To: Bryam Vargas <hexlabsecurity@proton.me>
Cc: Wenjia Zhang <wenjia@linux.ibm.com>,
	"D . Wythe" <alibuda@linux.alibaba.com>,
	Sidraya Jayagond <sidraya@linux.ibm.com>,
	Eric Dumazet <edumazet@google.com>,
	"David S . Miller" <davem@davemloft.net>,
	Mahanta Jambigi <mjambigi@linux.ibm.com>,
	Wen Gu <guwen@linux.alibaba.com>, Simon Horman <horms@kernel.org>,
	Ursula Braun <ubraun@linux.ibm.com>,
	Stefan Raspl <raspl@linux.ibm.com>,
	Tony Lu <tonylu@linux.alibaba.com>,
	Paolo Abeni <pabeni@redhat.com>, Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-s390@vger.kernel.org,
	linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers
Date: Wed, 15 Jul 2026 00:18:42 +0800	[thread overview]
Message-ID: <alZhYh6TOvqH0T9s@linux.alibaba.com> (raw)
In-Reply-To: <20260711104315.82912-1-hexlabsecurity@proton.me>

On 2026-07-11 10:43:26, Bryam Vargas wrote:
>On Tue, 7 Jul 2026 17:29:04 +0800, Dust Li wrote:
>> Are you planning to land these clamps first, and then follow up with a
>> separate validate/abort series?
>
>Yes -- clamp series to net (Cc: stable), then the wire-boundary validate/abort to
>net-next, which is the split from your v3 review. If you'd rather have the
>validate/abort as the primary fix, or both in one series, say so and I'll
>restructure it.
>
>> Looking at your earlier A/B test, it simulates this logic in userspace to
>> demonstrate the bug, but it doesn't actually trigger the bug in our
>> current kernel.
>
>Right -- the earlier one replayed the smc_curs_diff/copy arithmetic over a kmalloc
>buffer. I built the end-to-end version: two AF_SMC sockets over the SMC-D loopback
>(dibs), CONFIG_SMC=m with KASAN, receive path unmodified. Only the sender's on-wire
>producer cursor is forged, modelling what a misbehaving peer sends:
>
>  cdc.prod.wrap = curs.wrap;
>  cdc.prod.count = curs.count;
>+ if (forge) {                 /* peer just bumps the wrap, count stays 0 */
>+     static u16 w;
>+     cdc.prod.wrap = ++w;
>+     cdc.prod.count = 0;
>+ }
>
>The client sends six 1-byte messages, the server recvs into a 2 MB buffer.
>rmb_desc->len = 65504; the three arms on 7.2-rc1:
>
>  honest (no forge)            recv 6        clean
>  forged, patch 2/3 clamp on   recv 65504    clean   (== rmb_desc->len)
>  forged, no clamp             recv 393024   KASAN
>
>In the last arm bytes_to_rcv reaches 6*len, so smc_rx_recvmsg()'s second wrap-around
>chunk (copylen - first_chunk = 393024 - 65504) is read from ring offset 0, past the
>RMB page:
>
>  BUG: KASAN: slab-use-after-free in _copy_to_iter
>  Read of size 327520 ... smc_rx_recvmsg <- smc_recvmsg <- __sys_recvfrom
>
>(use-after-free rather than out-of-bounds only because the over-read lands in a freed
>adjacent slab.) Happy to send the driver.
>
>> the security risk here doesn't seem high to me, since SMC is only meant to
>> be deployed in trusted environments.
>
>Agreed it's low urgency there. The reason I'd still keep the bound in stable: it's a
>peer-driven out-of-bounds read of kernel memory that a buggy, not only malicious,
>peer can hit, and the clamp never resets an honest connection. The stable tag is
>your call.
>
>> once this is actually triggered, it means the data we've been handing to
>> userspace is already wrong ... the connection should be terminated. So I
>> don't really see much value in merging the bound-clamp patches first.
>
>I'm not arguing against the abort -- a bad CDC means the connection can't be trusted
>and should go down, and that's the net-next work. Two points on it.
>
>The predicate has to test the accumulator, not the cursor. Every forged CDC here
>carries count == 0, which is in [0, rmb_desc->len), so it passes any per-cursor
>input check, including patch 1/3; only bytes_to_rcv goes out of range. A
>cursor-boundary abort wouldn't catch this vector.
>
>And placement: if the abort is queued (queue_work -> smc_conn_kill) after the
>atomic_add, a recvmsg() under lock_sock can still read the inflated accumulator in
>the window before teardown runs. A synchronous check that bails before the
>atomic_add avoids that, and so does the consumer clamp.
>
>If you'd prefer a single accumulator-abort in place of the -stable clamp, I'll
>respin it that way and run the same A/B.

Hi Bryam,

Thanks for the detailed explanation — I think you're right. To me the
key point here is that no matter how the peer misbehaves, we should
never let it cause a panic or memory corruption on our side.

So I think your current clamp can stay. In the net-next version we
can add the abort logic, and additionally, it would be best to emit a
warning log whenever the clamp detects an anomaly here.

Best regards, Dust


      reply	other threads:[~2026-07-14 16:18 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05  7:54 [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Bryam Vargas
2026-07-05  7:54 ` Bryam Vargas via B4 Relay
2026-07-05  7:54 ` [PATCH net v4 1/3] net/smc: bound the wire-controlled producer cursor to the RMB Bryam Vargas
2026-07-05  7:54   ` Bryam Vargas via B4 Relay
2026-07-06  7:54   ` sashiko-bot
2026-07-14 16:19   ` Dust Li
2026-07-05  7:54 ` [PATCH net v4 2/3] net/smc: bound the receive length to the RMB in smc_rx_recvmsg() Bryam Vargas
2026-07-05  7:54   ` Bryam Vargas via B4 Relay
2026-07-06  7:54   ` sashiko-bot
2026-07-14 16:20   ` Dust Li
2026-07-05  7:54 ` [PATCH net v4 3/3] net/smc: bound the send length to the send buffer in smc_tx_sendmsg() Bryam Vargas
2026-07-05  7:54   ` Bryam Vargas via B4 Relay
2026-07-06  7:54   ` sashiko-bot
2026-07-14 16:20   ` Dust Li
2026-07-07  9:29 ` [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Dust Li
2026-07-11 10:43   ` Bryam Vargas
2026-07-14 16:18     ` Dust Li [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alZhYh6TOvqH0T9s@linux.alibaba.com \
    --to=dust.li@linux.alibaba.com \
    --cc=alibuda@linux.alibaba.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=guwen@linux.alibaba.com \
    --cc=hexlabsecurity@proton.me \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=mjambigi@linux.ibm.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=raspl@linux.ibm.com \
    --cc=sidraya@linux.ibm.com \
    --cc=tonylu@linux.alibaba.com \
    --cc=ubraun@linux.ibm.com \
    --cc=wenjia@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.