* [patch] RDMA/cxgb3: stack info leak in iwch_craete_cq()
@ 2013-07-25 17:04 Dan Carpenter
[not found] ` <20130725170409.GB7026-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2013-07-25 17:04 UTC (permalink / raw)
To: Steve Wise
Cc: Roland Dreier, Sean Hefty, Hal Rosenstock,
linux-rdma-u79uwXL29TY76Z2rM5mHXA,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA
The "uresp.reserved" field isn't initialized. It's at the end, of the
struct here so we don't need to copy it to the user.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/infiniband/hw/cxgb3/iwch_provider.c b/drivers/infiniband/hw/cxgb3/iwch_provider.c
index e87f220..b8e26f2 100644
--- a/drivers/infiniband/hw/cxgb3/iwch_provider.c
+++ b/drivers/infiniband/hw/cxgb3/iwch_provider.c
@@ -226,7 +226,7 @@ static struct ib_cq *iwch_create_cq(struct ib_device *ibdev, int entries, int ve
mm->len = PAGE_ALIGN(((1UL << uresp.size_log2) + 1) *
sizeof(struct t3_cqe));
uresp.memsize = mm->len;
- resplen = sizeof uresp;
+ resplen = sizeof uresp - sizeof uresp.reserved;
}
if (ib_copy_to_udata(udata, &uresp, resplen)) {
kfree(mm);
^ permalink raw reply related [flat|nested] 5+ messages in thread[parent not found: <20130725170409.GB7026-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>]
* Re: [patch] RDMA/cxgb3: stack info leak in iwch_craete_cq() [not found] ` <20130725170409.GB7026-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org> @ 2013-07-25 18:43 ` Steve Wise [not found] ` <51F171D0.7050204-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org> 2013-07-29 19:19 ` [patch v2] " Dan Carpenter 0 siblings, 2 replies; 5+ messages in thread From: Steve Wise @ 2013-07-25 18:43 UTC (permalink / raw) To: Dan Carpenter Cc: Steve Wise, Roland Dreier, Sean Hefty, Hal Rosenstock, linux-rdma-u79uwXL29TY76Z2rM5mHXA, kernel-janitors-u79uwXL29TY76Z2rM5mHXA On 7/25/2013 12:04 PM, Dan Carpenter wrote: > The "uresp.reserved" field isn't initialized. It's at the end, of the > struct here so we don't need to copy it to the user. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > diff --git a/drivers/infiniband/hw/cxgb3/iwch_provider.c b/drivers/infiniband/hw/cxgb3/iwch_provider.c > index e87f220..b8e26f2 100644 > --- a/drivers/infiniband/hw/cxgb3/iwch_provider.c > +++ b/drivers/infiniband/hw/cxgb3/iwch_provider.c > @@ -226,7 +226,7 @@ static struct ib_cq *iwch_create_cq(struct ib_device *ibdev, int entries, int ve > mm->len = PAGE_ALIGN(((1UL << uresp.size_log2) + 1) * > sizeof(struct t3_cqe)); > uresp.memsize = mm->len; > - resplen = sizeof uresp; > + resplen = sizeof uresp - sizeof uresp.reserved; > } > if (ib_copy_to_udata(udata, &uresp, resplen)) { > kfree(mm); How did you find this? What if, in the future, the iwch_create_cq_resp struct is changed and stuff added to the end? I'm not sure this optimization is worth it? ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <51F171D0.7050204-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org>]
* Re: [patch] RDMA/cxgb3: stack info leak in iwch_craete_cq() [not found] ` <51F171D0.7050204-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org> @ 2013-07-26 8:47 ` Dan Carpenter 0 siblings, 0 replies; 5+ messages in thread From: Dan Carpenter @ 2013-07-26 8:47 UTC (permalink / raw) To: Steve Wise Cc: Steve Wise, Roland Dreier, Sean Hefty, Hal Rosenstock, linux-rdma-u79uwXL29TY76Z2rM5mHXA, kernel-janitors-u79uwXL29TY76Z2rM5mHXA On Thu, Jul 25, 2013 at 01:43:28PM -0500, Steve Wise wrote: > On 7/25/2013 12:04 PM, Dan Carpenter wrote: > >The "uresp.reserved" field isn't initialized. It's at the end, of the > >struct here so we don't need to copy it to the user. > > > >Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > > >diff --git a/drivers/infiniband/hw/cxgb3/iwch_provider.c b/drivers/infiniband/hw/cxgb3/iwch_provider.c > >index e87f220..b8e26f2 100644 > >--- a/drivers/infiniband/hw/cxgb3/iwch_provider.c > >+++ b/drivers/infiniband/hw/cxgb3/iwch_provider.c > >@@ -226,7 +226,7 @@ static struct ib_cq *iwch_create_cq(struct ib_device *ibdev, int entries, int ve > > mm->len = PAGE_ALIGN(((1UL << uresp.size_log2) + 1) * > > sizeof(struct t3_cqe)); > > uresp.memsize = mm->len; > >- resplen = sizeof uresp; > >+ resplen = sizeof uresp - sizeof uresp.reserved; > > } > > if (ib_copy_to_udata(udata, &uresp, resplen)) { > > kfree(mm); > > How did you find this? This is some incoming Smatch stuff. > > What if, in the future, the iwch_create_cq_resp struct is changed > and stuff added to the end? I'm not sure this optimization is worth > it? Yeah. I'm not sure either. I wouldn't do it outside infiniband code because I was copying other code from there. I can redo this. regards, dan carpenter ^ permalink raw reply [flat|nested] 5+ messages in thread
* [patch v2] RDMA/cxgb3: stack info leak in iwch_craete_cq() 2013-07-25 18:43 ` Steve Wise [not found] ` <51F171D0.7050204-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org> @ 2013-07-29 19:19 ` Dan Carpenter [not found] ` <20130729191914.GA11977-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org> 1 sibling, 1 reply; 5+ messages in thread From: Dan Carpenter @ 2013-07-29 19:19 UTC (permalink / raw) To: Steve Wise Cc: Roland Dreier, Sean Hefty, Hal Rosenstock, linux-rdma, kernel-janitors The "uresp.reserved" field isn't initialized on this path so it could leak uninitialized stack information to the user. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: different approach to fixing the problem diff --git a/drivers/infiniband/hw/cxgb3/iwch_provider.c b/drivers/infiniband/hw/cxgb3/iwch_provider.c index e87f220..d228383 100644 --- a/drivers/infiniband/hw/cxgb3/iwch_provider.c +++ b/drivers/infiniband/hw/cxgb3/iwch_provider.c @@ -226,6 +226,7 @@ static struct ib_cq *iwch_create_cq(struct ib_device *ibdev, int entries, int ve mm->len = PAGE_ALIGN(((1UL << uresp.size_log2) + 1) * sizeof(struct t3_cqe)); uresp.memsize = mm->len; + uresp.reserved = 0; resplen = sizeof uresp; } if (ib_copy_to_udata(udata, &uresp, resplen)) { ^ permalink raw reply related [flat|nested] 5+ messages in thread
[parent not found: <20130729191914.GA11977-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>]
* Re: [patch v2] RDMA/cxgb3: stack info leak in iwch_craete_cq() [not found] ` <20130729191914.GA11977-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org> @ 2013-07-29 19:26 ` Steve Wise 0 siblings, 0 replies; 5+ messages in thread From: Steve Wise @ 2013-07-29 19:26 UTC (permalink / raw) To: Dan Carpenter Cc: Steve Wise, Roland Dreier, Sean Hefty, Hal Rosenstock, linux-rdma-u79uwXL29TY76Z2rM5mHXA, kernel-janitors-u79uwXL29TY76Z2rM5mHXA Acked-by: Steve Wise <swise@opengridcomputing.com> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-07-29 19:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-25 17:04 [patch] RDMA/cxgb3: stack info leak in iwch_craete_cq() Dan Carpenter
[not found] ` <20130725170409.GB7026-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
2013-07-25 18:43 ` Steve Wise
[not found] ` <51F171D0.7050204-7bPotxP6k4+P2YhJcF5u+vpXobYPEAuW@public.gmane.org>
2013-07-26 8:47 ` Dan Carpenter
2013-07-29 19:19 ` [patch v2] " Dan Carpenter
[not found] ` <20130729191914.GA11977-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
2013-07-29 19:26 ` Steve Wise
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox