From: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Jason Gunthorpe <jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
RDMA mailing list
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Alaa Hleihel <alaa-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Noa Osherovich <noaos-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: [PATCH rdma-rc 15/15] RDMA/uverbs: Protect from command mask overflow
Date: Tue, 13 Feb 2018 12:18:41 +0200 [thread overview]
Message-ID: <20180213101841.20101-16-leon@kernel.org> (raw)
In-Reply-To: <20180213101841.20101-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
From: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
The number of commands supported by the uverbs is less than 64, so let's
check it in advance that the supplied command is below that limit.
================================================================================
UBSAN: Undefined behaviour in
drivers/infiniband/core/uverbs_main.c:647:21
shift exponent 207 is too large for 64-bit type 'long long unsigned int'
CPU: 0 PID: 446 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #61
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
Call Trace:
dump_stack+0xde/0x164
? dma_virt_map_sg+0x22c/0x22c
ubsan_epilogue+0xe/0x81
__ubsan_handle_shift_out_of_bounds+0x293/0x2f7
? debug_check_no_locks_freed+0x340/0x340
? __ubsan_handle_load_invalid_value+0x19b/0x19b
? lock_acquire+0x440/0x440
? lock_acquire+0x19d/0x440
? __might_fault+0xf4/0x240
? ib_uverbs_write+0x68d/0xe20
ib_uverbs_write+0x68d/0xe20
? __lock_acquire+0xcf7/0x3940
? uverbs_devnode+0x110/0x110
? cyc2ns_read_end+0x10/0x10
? sched_clock_cpu+0x18/0x200
? sched_clock_cpu+0x18/0x200
__vfs_write+0x10d/0x700
? uverbs_devnode+0x110/0x110
? kernel_read+0x170/0x170
? __fget+0x35b/0x5d0
? security_file_permission+0x93/0x260
vfs_write+0x1b0/0x550
SyS_write+0xc7/0x1a0
? SyS_read+0x1a0/0x1a0
? trace_hardirqs_on_thunk+0x1a/0x1c
entry_SYSCALL_64_fastpath+0x18/0x85
RIP: 0033:0x448e29
RSP: 002b:00007f033f567c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f033f5686bc RCX: 0000000000448e29
RDX: 0000000000000060 RSI: 0000000020001000 RDI: 0000000000000012
RBP: 000000000070bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000056a0 R14: 00000000006e8740 R15: 0000000000000000
================================================================================
Cc: syzkaller <syzkaller-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> # 4.5
Fixes: 2dbd5186a39c ("IB/core: IB/core: Allow legacy verbs through extended interfaces")
Reported-by: Noa Osherovich <noaos-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Reviewed-by: Matan Barak <matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
---
drivers/infiniband/core/uverbs_main.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index cd72555ad457..b36cb12b3f38 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -650,12 +650,21 @@ static int verify_command_mask(struct ib_device *ib_dev, __u32 command)
return -1;
}
+static bool verify_command_idx(__u32 command, bool extended)
+{
+ if (extended)
+ return command < ARRAY_SIZE(uverbs_ex_cmd_table);
+
+ return command < ARRAY_SIZE(uverbs_cmd_table);
+}
+
static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
size_t count, loff_t *pos)
{
struct ib_uverbs_file *file = filp->private_data;
struct ib_device *ib_dev;
struct ib_uverbs_cmd_hdr hdr;
+ bool extended_command;
__u32 command;
__u32 flags;
int srcu_key;
@@ -688,6 +697,15 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
}
command = hdr.command & IB_USER_VERBS_CMD_COMMAND_MASK;
+ flags = (hdr.command &
+ IB_USER_VERBS_CMD_FLAGS_MASK) >> IB_USER_VERBS_CMD_FLAGS_SHIFT;
+
+ extended_command = flags & IB_USER_VERBS_CMD_FLAG_EXTENDED;
+ if (!verify_command_idx(command, extended_command)) {
+ ret = -EINVAL;
+ goto out;
+ }
+
if (verify_command_mask(ib_dev, command)) {
ret = -EOPNOTSUPP;
goto out;
@@ -699,12 +717,8 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
goto out;
}
- flags = (hdr.command &
- IB_USER_VERBS_CMD_FLAGS_MASK) >> IB_USER_VERBS_CMD_FLAGS_SHIFT;
-
if (!flags) {
- if (command >= ARRAY_SIZE(uverbs_cmd_table) ||
- !uverbs_cmd_table[command]) {
+ if (!uverbs_cmd_table[command]) {
ret = -EINVAL;
goto out;
}
@@ -725,8 +739,7 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
struct ib_udata uhw;
size_t written_count = count;
- if (command >= ARRAY_SIZE(uverbs_ex_cmd_table) ||
- !uverbs_ex_cmd_table[command]) {
+ if (!uverbs_ex_cmd_table[command]) {
ret = -ENOSYS;
goto out;
}
--
2.16.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-13 10:18 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-13 10:18 [PATCH rdma-rc 00/15] RDMA fixes for v4.16 Leon Romanovsky
[not found] ` <20180213101841.20101-1-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 10:18 ` [PATCH rdma-rc 01/15] IB/ipoib: Do not warn if IPoIB debugfs doesn't exist Leon Romanovsky
[not found] ` <20180213101841.20101-2-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:06 ` Dennis Dalessandro
[not found] ` <a95eace1-2e3e-e97a-cbaa-ca58771e5cff-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 18:12 ` Leon Romanovsky
[not found] ` <20180213181205.GV2197-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2018-02-13 18:45 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 02/15] RDMA/restrack: Remove unimplemented XRCD object Leon Romanovsky
[not found] ` <20180213101841.20101-3-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:00 ` Dennis Dalessandro
[not found] ` <7e464caf-6875-9232-be9a-31324b03323f-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 18:09 ` Leon Romanovsky
[not found] ` <20180213180956.GU2197-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2018-02-13 18:16 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 03/15] IB/uverbs: Always the attribute size provided by the user Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 04/15] IB/uverbs: Use inline data transfer for UHW_IN Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 05/15] IB/uverbs: Use u64_to_user_ptr() not a union Leon Romanovsky
[not found] ` <20180213101841.20101-6-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:10 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 06/15] IB/uverbs: Fix method merging in uverbs_ioctl_merge Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 07/15] IB/uverbs: Use __aligned_u64 for uapi headers Leon Romanovsky
[not found] ` <20180213101841.20101-8-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:12 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 08/15] IB/uverbs: Add ioctl support for 32bit processes Leon Romanovsky
[not found] ` <20180213101841.20101-9-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 16:56 ` Dennis Dalessandro
[not found] ` <f77173f4-703b-b5ec-06ad-24263805251d-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:16 ` Jason Gunthorpe
[not found] ` <20180213171632.GI4499-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2018-02-14 11:31 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 09/15] IB/uverbs: Fix possible oops with duplicate ioctl attributes Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 10/15] IB/uverbs: Hold the uobj write lock after allocate Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 11/15] RDMA/uverbs: Protect from races between lookup and destroy of uobjects Leon Romanovsky
2018-02-13 10:18 ` [PATCH rdma-rc 12/15] IB/uverbs: Tidy lockdep_check Leon Romanovsky
[not found] ` <20180213101841.20101-13-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:10 ` Dennis Dalessandro
[not found] ` <1120b3ff-8cb4-d661-60b1-e1f7656840fd-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:23 ` Jason Gunthorpe
2018-02-13 10:18 ` [PATCH rdma-rc 13/15] IB/uverbs: Tidy uverbs_uobject_add Leon Romanovsky
[not found] ` <20180213101841.20101-14-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:09 ` Dennis Dalessandro
[not found] ` <c43bec28-0437-961e-fe65-55886973b6da-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-02-13 17:20 ` Jason Gunthorpe
[not found] ` <20180213172041.GJ4499-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2018-02-13 18:44 ` Dennis Dalessandro
2018-02-13 10:18 ` [PATCH rdma-rc 14/15] IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy Leon Romanovsky
[not found] ` <20180213101841.20101-15-leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2018-02-13 17:11 ` Dennis Dalessandro
2018-02-13 10:18 ` Leon Romanovsky [this message]
2018-02-15 22:26 ` [PATCH rdma-rc 00/15] RDMA fixes for v4.16 Jason Gunthorpe
2018-02-15 22:30 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180213101841.20101-16-leon@kernel.org \
--to=leon-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=alaa-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matanb-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=noaos-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).