From: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Jason Gunthorpe <jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
RDMA mailing list
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Alaa Hleihel <alaa-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Noa Osherovich <noaos-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: [PATCH rdma-rc 09/15] IB/uverbs: Fix possible oops with duplicate ioctl attributes
Date: Tue, 13 Feb 2018 12:18:35 +0200 [thread overview]
Message-ID: <20180213101841.20101-10-leon@kernel.org> (raw)
In-Reply-To: <20180213101841.20101-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
From: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
If the same attribute is listed twice by the user in the ioctl attribute
list then error unwind can cause the kernel to deref garbage.
This happens when an object with WRITE access is sent twice. The second
parse properly fails but corrupts the state required for the error unwind
it triggers.
Fixing this by making duplicates in the attribute list invalid. This is
not something we need to support.
The ioctl interface is currently recommended to be disabled in kConfig.
Signed-off-by: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Jason Gunthorpe <jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
---
drivers/infiniband/core/uverbs_ioctl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/uverbs_ioctl.c b/drivers/infiniband/core/uverbs_ioctl.c
index d96dc1d17be1..339b85145044 100644
--- a/drivers/infiniband/core/uverbs_ioctl.c
+++ b/drivers/infiniband/core/uverbs_ioctl.c
@@ -59,6 +59,9 @@ static int uverbs_process_attr(struct ib_device *ibdev,
return 0;
}
+ if (test_bit(attr_id, attr_bundle_h->valid_bitmap))
+ return -EINVAL;
+
spec = &attr_spec_bucket->attrs[attr_id];
e = &elements[attr_id];
e->uattr = uattr_ptr;
--
2.16.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-13 10:18 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-13 10:18 [PATCH rdma-rc 00/15] RDMA fixes for v4.16 Leon Romanovsky
[not found] ` <20180213101841.20101-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 10:18 ` [PATCH rdma-rc 01/15] IB/ipoib: Do not warn if IPoIB debugfs doesn't exist Leon Romanovsky
[not found] ` <20180213101841.20101-2-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:06 ` Dennis Dalessandro
[not found] ` <a95eace1-2e3e-e97a-cbaa-ca58771e5cff-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 18:12 ` Leon Romanovsky
[not found] ` <20180213181205.GV2197-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2018-02-13 18:45 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 02/15] RDMA/restrack: Remove unimplemented XRCD object Leon Romanovsky
[not found] ` <20180213101841.20101-3-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:00 ` Dennis Dalessandro
[not found] ` <7e464caf-6875-9232-be9a-31324b03323f-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 18:09 ` Leon Romanovsky
[not found] ` <20180213180956.GU2197-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2018-02-13 18:16 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 03/15] IB/uverbs: Always the attribute size provided by the user Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 04/15] IB/uverbs: Use inline data transfer for UHW_IN Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 05/15] IB/uverbs: Use u64_to_user_ptr() not a union Leon Romanovsky
[not found] ` <20180213101841.20101-6-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:10 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 06/15] IB/uverbs: Fix method merging in uverbs_ioctl_merge Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 07/15] IB/uverbs: Use __aligned_u64 for uapi headers Leon Romanovsky
[not found] ` <20180213101841.20101-8-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:12 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 08/15] IB/uverbs: Add ioctl support for 32bit processes Leon Romanovsky
[not found] ` <20180213101841.20101-9-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:56 ` Dennis Dalessandro
[not found] ` <f77173f4-703b-b5ec-06ad-24263805251d-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:16 ` Jason Gunthorpe
[not found] ` <20180213171632.GI4499-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2018-02-14 11:31 ` Dennis Dalessandro
2018-02-13 10:18 ` Leon Romanovsky [this message]
2018-02-13 10:18 ` [PATCH rdma-rc 10/15] IB/uverbs: Hold the uobj write lock after allocate Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 11/15] RDMA/uverbs: Protect from races between lookup and destroy of uobjects Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 12/15] IB/uverbs: Tidy lockdep_check Leon Romanovsky
[not found] ` <20180213101841.20101-13-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:10 ` Dennis Dalessandro
[not found] ` <1120b3ff-8cb4-d661-60b1-e1f7656840fd-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:23 ` Jason Gunthorpe
2018-02-13 10:18 ` [PATCH rdma-rc 13/15] IB/uverbs: Tidy uverbs_uobject_add Leon Romanovsky
[not found] ` <20180213101841.20101-14-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:09 ` Dennis Dalessandro
[not found] ` <c43bec28-0437-961e-fe65-55886973b6da-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:20 ` Jason Gunthorpe
[not found] ` <20180213172041.GJ4499-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2018-02-13 18:44 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 14/15] IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy Leon Romanovsky
[not found] ` <20180213101841.20101-15-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:11 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 15/15] RDMA/uverbs: Protect from command mask overflow Leon Romanovsky
2018-02-15 22:26 ` [PATCH rdma-rc 00/15] RDMA fixes for v4.16 Jason Gunthorpe
2018-02-15 22:30 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180213101841.20101-10-leon@kernel.org \
--to=leon-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=alaa-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=noaos-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).