From: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: xavier.huwei-hv44wF8Li93QT0dZR+AlfA@public.gmane.org,
Lijun Ou <oulijun-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Why don't we always check that attr->port_num is valid?
Date: Mon, 2 Oct 2017 14:34:31 +0300 [thread overview]
Message-ID: <20171002113431.lqkf4ilmimjfouc7@mwanda> (raw)
The patch 926a01dc000d: "RDMA/hns: Add QP operations support for
hip08 SoC" from Aug 30, 2017, leads to the following static checker
warning:
drivers/infiniband/hw/hns/hns_roce_hw_v2.c:2721 hns_roce_v2_modify_qp()
error: buffer overflow 'hr_dev->iboe.phy_port' 6 <= 255
drivers/infiniband/hw/hns/hns_roce_hw_v2.c
2716
2717 if (attr_mask & IB_QP_MAX_DEST_RD_ATOMIC)
2718 hr_qp->resp_depth = attr->max_dest_rd_atomic;
2719 if (attr_mask & IB_QP_PORT) {
^^^^^^^^^^^^^^^^^^^^^^
2720 hr_qp->port = attr->port_num - 1;
^^^^^^^^^^^^^^^^^^
2721 hr_qp->phy_port = hr_dev->iboe.phy_port[hr_qp->port];
^^^^^^^^^^^
The warning here is that hns_roce_v2_modify_qp() is called with a user
controlled hr_qp->port and it can be in the 0-255 range. This is true.
*However* when IB_QP_PORT mask is set then ->port_num is checked.
2722 }
Here is how it looks in the caller, hns_roce_modify_qp():
drivers/infiniband/hw/hns/hns_roce_qp.c
757 if ((attr_mask & IB_QP_PORT) &&
758 (attr->port_num == 0 || attr->port_num > hr_dev->caps.num_ports)) {
759 dev_err(dev, "attr port_num invalid.attr->port_num=%d\n",
760 attr->port_num);
761 goto out;
762 }
We deliberately allow invalid attr->port_nums if IB_QP_PORT is not set.
Why must we do that? From a kernel hardening perspective it would be
better to ban invalid values all together...
I'm trying to think of a way to handle this kind of thing in Smatch but
it's like I end up with an explosion of states that end up consuming all
the RAM.
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2017-10-02 11:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 11:34 Dan Carpenter [this message]
2017-10-02 15:20 ` Why don't we always check that attr->port_num is valid? Jason Gunthorpe
[not found] ` <20171002152033.GB12331-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2017-10-03 5:21 ` Leon Romanovsky
[not found] ` <20171003052159.GB26055-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2017-10-03 15:56 ` Chien Tin Tung
[not found] ` <20171003155606.GA12560-TZeIlv3TuzOfrEmaQUPKxl95YUYmaKo1UNDiOz3kqAs@public.gmane.org>
2017-10-03 16:50 ` Leon Romanovsky
[not found] ` <20171003165025.GC25829-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2017-10-03 19:40 ` Chien Tin Tung
2017-10-03 19:52 ` Hefty, Sean
[not found] ` <1828884A29C6694DAF28B7E6B8A82373AB19A8A5-P5GAC/sN6hkd3b2yrw5b5LfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2017-10-04 3:13 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171002113431.lqkf4ilmimjfouc7@mwanda \
--to=dan.carpenter-qhclzuegtsvqt0dzr+alfa@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=oulijun-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=xavier.huwei-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox