From: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
To: Roland Dreier <roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Dan Carpenter
<dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Steve Wise <swise-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org>
Subject: Re: [PATCHv1 4/4] RDMA/cxgb4: add missing padding at end of struct c4iw_alloc_ucontext_resp
Date: Thu, 05 Jun 2014 09:28:53 +0200 [thread overview]
Message-ID: <1401953333.20659.6.camel@localhost.localdomain> (raw)
In-Reply-To: <1400739665.21049.5.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
Hi Roland,
Le jeudi 22 mai 2014 à 08:21 +0200, Yann Droneaud a écrit :
> Le lundi 05 mai 2014 à 19:35 +0200, Yann Droneaud a écrit :
> > i386 ABI disagree with most other ABIs regarding alignment
> > of data type larger than 4 bytes: on most ABIs a padding must
> > be added at end of the structures, while it is not required on
> > i386.
> >
> > So for most ABI struct c4iw_alloc_ucontext_resp get implicitly padded
> > to be aligned on a 8 bytes multiple, while for i386, such padding
> > is not added.
> >
> > Tool pahole could be used to find such implicit padding:
> >
> > $ pahole --anon_include \
> > --nested_anon_include \
> > --recursive \
> > --class_name c4iw_alloc_ucontext_resp \
> > drivers/infiniband/hw/cxgb4/iw_cxgb4.o
> >
> > Then, structure layout can be compared between i386 and x86_64:
> >
> > +++ obj-i386/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt 2014-03-28 11:43:05.547432195 +0100
> > --- obj-x86_64/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt 2014-03-28 10:55:10.990133017 +0100
> > @@ -2,9 +2,8 @@ struct c4iw_alloc_ucontext_resp {
> > __u64 status_page_key; /* 0 8 */
> > __u32 status_page_size; /* 8 4 */
> >
> > - /* size: 12, cachelines: 1, members: 2 */
> > - /* last cacheline: 12 bytes */
> > + /* size: 16, cachelines: 1, members: 2 */
> > + /* padding: 4 */
> > + /* last cacheline: 16 bytes */
> > };
> >
> > This ABI disagreement will make an x86_64 kernel try to write
> > past the buffer provided by an i386 binary.
> >
> > When boundary check will be implemented, the x86_64 kernel will
> > refuse to write past the i386 userspace provided buffer
> > and the uverbs will fail.
> >
> > If the structure lay in memory on a page boundary and next page
> > is not mapped, ib_copy_to_udata() will fail and the uverb
> > will fail.
> >
> > Additionally, as reported by Dan Carpenter, without the implicit
> > padding being properly cleared, an information leak would take
> > place in most architectures.
> >
> > This patch adds an explicit padding to struct c4iw_alloc_ucontext_resp,
> > and, like 92b0ca7cb149 ('IB/mlx5: Fix stack info leak in
> > mlx5_ib_alloc_ucontext()'), makes function c4iw_alloc_ucontext()
> > not writting this padding field to userspace. This way, x86_64 kernel
> > will be able to write struct c4iw_alloc_ucontext_resp as expected by
> > unpatched and patched i386 libcxgb4.
> >
> > Link: http://marc.info/?i=cover.1399309513.git.ydroneaud@opteya.com
> > Link: http://marc.info/?i=1395848977.3297.15.camel-bi+AKbBUZKaGOdeMZTrFbA@public.gmane.orgldomain
> > Link: http://marc.info/?i=20140328082428.GH25192@mwanda
> > Fixes: 05eb23893c2c ('cxgb4/iw_cxgb4: Doorbell Drop Avoidance Bug Fixes')
> > Reported-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
> > Reported-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
> > Signed-off-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
>
> I believe this one should go in v3.15-rc7 as it fixes an issue
> introduced in v3.15-rc1. See
> http://marc.info/?i=20140328082428.GH25192@mwanda
> http://marc.info/?i=20140502235616.GJ4963@mwanda
>
> The other patchs could probably wait for v3.16-rc1 for integration in
> linux-stable.
>
I think this patch is likely not going to v3.15, so in order to have it
integrated in v3.15.x with the others, could you add Cc:
<stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> to this patch the next time you rebuild
your 'for-next' branch ?
Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Thanks a lot.
Regards.
--
Yann Droneaud
OPTEYA
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2014-06-05 7:28 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 17:33 [PATCHv1 for v3.15 0/4] uverbs ABI fixes Yann Droneaud
2014-05-05 17:33 ` [PATCHv1 3/4] RDMA/cxgb4: add missing padding at end of struct c4iw_create_cq_resp Yann Droneaud
[not found] ` <3fd6186b9729d69a3d8431bb5e0461eee1515484.1399309513.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-05-05 17:56 ` Steve Wise
[not found] ` <cover.1399309513.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-05-05 17:33 ` [PATCHv1 1/4] RDMA/mlx5: add missing padding at end of struct mlx5_ib_create_cq Yann Droneaud
2014-05-11 7:10 ` Eli Cohen
2014-06-05 7:35 ` Yann Droneaud
2014-05-05 17:33 ` [PATCHv1 2/4] RDMA/mlx5: add missing padding at end of struct mlx5_ib_create_srq Yann Droneaud
2014-05-11 7:12 ` Eli Cohen
2014-06-05 7:38 ` Yann Droneaud
[not found] ` <1401953883.20659.15.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2014-06-26 10:50 ` Eli Cohen
2014-05-05 17:35 ` [PATCHv1 4/4] RDMA/cxgb4: add missing padding at end of struct c4iw_alloc_ucontext_resp Yann Droneaud
[not found] ` <b08b42d735d0a9d573ed09f9a30338686a802da0.1399309513.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2014-05-05 17:55 ` Steve Wise
2014-05-22 6:21 ` Yann Droneaud
[not found] ` <1400739665.21049.5.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2014-06-05 7:28 ` Yann Droneaud [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1401953333.20659.6.camel@localhost.localdomain \
--to=ydroneaud-rly5vtjfyj3qt0dzr+alfa@public.gmane.org \
--cc=dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=roland-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=swise-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox