RE: Coverity: irdma_reg_user_mr(): TAINTED_SCALAR

public inbox for linux-next@vger.kernel.org
 help / color / mirror / Atom feed

From: "Saleem, Shiraz" <shiraz.saleem@intel.com>
To: coverity-bot <keescook@chromium.org>,
	"Ismail, Mustafa" <mustafa.ismail@intel.com>,
	"Nikolova, Tatyana E" <tatyana.e.nikolova@intel.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	"linux-next@vger.kernel.org" <linux-next@vger.kernel.org>
Subject: RE: Coverity: irdma_reg_user_mr(): TAINTED_SCALAR
Date: Tue, 15 Jun 2021 15:59:00 +0000	[thread overview]
Message-ID: <5a929effe400411eb1c6c84397480356@intel.com> (raw)
In-Reply-To: <202106081059.A515282@keescook>

> Subject: Coverity: irdma_reg_user_mr(): TAINTED_SCALAR
> 
> Hello!
> 
> This is an experimental semi-automated report about issues detected by Coverity
> from a scan of next-20210608 as part of the linux-next scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
> 
> You're getting this email because you were associated with the identified lines of
> code (noted below) that were touched by commits:
> 
>   Wed Jun 2 19:55:18 2021 -0300
>     b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
> 
> (Editor's note: I believe the issues below are basically summarized as "the contents
> of req came from userspace and did not get validated before being used for
> things like array indexing, etc")
> 
> Coverity reported the following:
> 
> *** CID 1505160:    (TAINTED_SCALAR)
> /drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
> 2806     		list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
> 2807     		iwpbl->on_list = true;
> 2808     		spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock,
> flags);
> 2809     		break;
> 2810     	case IRDMA_MEMREG_TYPE_CQ:
> 2811     		use_pbles = (req.cq_pages > 1);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.rq_pages" to a tainted sink.
> 2812     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2813     		if (err)
> 2814     			goto error;
> 2815
> 2816     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2817     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
> 2793     	iwmr->type = req.reg_type;
> 2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr-
> >page_size);
> 2795
> 2796     	switch (req.reg_type) {
> 2797     	case IRDMA_MEMREG_TYPE_QP:
> 2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.cq_pages" to a tainted sink.
> 2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2800     		if (err)
> 2801     			goto error;
> 2802
> 2803     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2804     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
> 2793     	iwmr->type = req.reg_type;
> 2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr-
> >page_size);
> 2795
> 2796     	switch (req.reg_type) {
> 2797     	case IRDMA_MEMREG_TYPE_QP:
> 2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.sq_pages" to a tainted sink.
> 2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2800     		if (err)
> 2801     			goto error;
> 2802
> 2803     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2804     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
> 2793     	iwmr->type = req.reg_type;
> 2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr-
> >page_size);
> 2795
> 2796     	switch (req.reg_type) {
> 2797     	case IRDMA_MEMREG_TYPE_QP:
> 2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.rq_pages" to a tainted sink.
> 2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2800     		if (err)
> 2801     			goto error;
> 2802
> 2803     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2804     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
> 2806     		list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
> 2807     		iwpbl->on_list = true;
> 2808     		spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock,
> flags);
> 2809     		break;
> 2810     	case IRDMA_MEMREG_TYPE_CQ:
> 2811     		use_pbles = (req.cq_pages > 1);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.sq_pages" to a tainted sink.
> 2812     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2813     		if (err)
> 2814     			goto error;
> 2815
> 2816     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2817     						     ibucontext);
> 
> If this is a false positive, please let us know so we can mark it as such, or teach
> the Coverity rules to be smarter. If not, please make sure fixes get into linux-next.
> :) For patches fixing this, please include these lines (but double-check the "Fixes"
> first):
> 
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR")
> Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
> 
> Thanks for your attention!
> 

This appears to be a bug. We will send a fix.

Shiraz

     prev parent reply	other threads:[~2021-06-15 16:00 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-08 18:00 Coverity: irdma_reg_user_mr(): TAINTED_SCALAR coverity-bot
2021-06-15 15:59 ` Saleem, Shiraz [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5a929effe400411eb1c6c84397480356@intel.com \
    --to=shiraz.saleem@intel.com \
    --cc=gustavo@embeddedor.com \
    --cc=jgg@nvidia.com \
    --cc=keescook@chromium.org \
    --cc=linux-next@vger.kernel.org \
    --cc=mustafa.ismail@intel.com \
    --cc=tatyana.e.nikolova@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox