Re: [PATCH rdma-next 1/3] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object

public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed

From: Jason Gunthorpe <jgg@nvidia.com>
To: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Cc: dledford@redhat.com, linux-rdma@vger.kernel.org,
	shiraz.saleem@intel.com, mustafa.ismail@intel.com,
	coverity-bot <keescook+coverity-bot@chromium.org>
Subject: Re: [PATCH rdma-next 1/3] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object
Date: Tue, 22 Jun 2021 14:58:44 -0300	[thread overview]
Message-ID: <20210622175844.GE2371267@nvidia.com> (raw)
In-Reply-To: <20210622175232.439-2-tatyana.e.nikolova@intel.com>

On Tue, Jun 22, 2021 at 12:52:30PM -0500, Tatyana Nikolova wrote:
> From: Shiraz Saleem <shiraz.saleem@intel.com>
> 
> The contents of user-space req object is used in array indexing
> in irdma_handle_q_mem without checking for valid values.
> 
> Guard against bad input on each of these req object pages by
> limiting them to number of pages that make up the region.
> 
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR")
> Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
> Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
> Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
>  drivers/infiniband/hw/irdma/verbs.c | 18 ++++++++++++++----
>  1 file changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
> index e8b170f0d997..8bd31656a83a 100644
> +++ b/drivers/infiniband/hw/irdma/verbs.c
> @@ -2360,10 +2360,8 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
>  	u64 *arr = iwmr->pgaddrmem;
>  	u32 pg_size;
>  	int err = 0;
> -	int total;
>  	bool ret = true;
>  
> -	total = req->sq_pages + req->rq_pages + req->cq_pages;
>  	pg_size = iwmr->page_size;
>  	err = irdma_setup_pbles(iwdev->rf, iwmr, use_pbles);
>  	if (err)
> @@ -2381,7 +2379,7 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
>  	switch (iwmr->type) {
>  	case IRDMA_MEMREG_TYPE_QP:
>  		hmc_p = &qpmr->sq_pbl;
> -		qpmr->shadow = (dma_addr_t)arr[total];
> +		qpmr->shadow = (dma_addr_t)arr[req->sq_pages + req->rq_pages];
>  
>  		if (use_pbles) {
>  			ret = irdma_check_mem_contiguous(arr, req->sq_pages,
> @@ -2406,7 +2404,7 @@ static int irdma_handle_q_mem(struct irdma_device *iwdev,
>  		hmc_p = &cqmr->cq_pbl;
>  
>  		if (!cqmr->split)
> -			cqmr->shadow = (dma_addr_t)arr[total];
> +			cqmr->shadow = (dma_addr_t)arr[req->cq_pages];
>  
>  		if (use_pbles)
>  			ret = irdma_check_mem_contiguous(arr, req->cq_pages,
> @@ -2748,6 +2746,7 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
>  	struct ib_umem *region;
>  	struct irdma_mem_reg_req req;
>  	u32 stag = 0;
> +	u8 shadow_pgcnt = 1;
>  	bool use_pbles = false;
>  	unsigned long flags;
>  	int err = -EINVAL;
> @@ -2795,6 +2794,10 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
>  
>  	switch (req.reg_type) {
>  	case IRDMA_MEMREG_TYPE_QP:
> +		if (req.sq_pages + req.rq_pages + shadow_pgcnt > iwmr->page_cnt) {

Math on values from userspace should use the check overflow helpers or
otherwise be designed to be overflow safe

Jason

next prev parent reply	other threads:[~2021-06-22 17:59 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-22 17:52 [PATCH rdma-next 0/3] irdma coverity fixes Tatyana Nikolova
2021-06-22 17:52 ` [PATCH rdma-next 1/3] RDMA/irdma: Check contents of user-space irdma_mem_reg_req object Tatyana Nikolova
2021-06-22 17:58   ` Jason Gunthorpe [this message]
2021-06-22 21:56     ` Nikolova, Tatyana E
2021-06-22 23:33       ` Jason Gunthorpe
2021-06-22 17:52 ` [PATCH rdma-next 2/3] RDMA/irdma: Check return value from ib_umem_find_best_pgsz Tatyana Nikolova
2021-06-22 18:28   ` Jason Gunthorpe
2021-06-22 17:52 ` [PATCH rdma-next 3/3] RDMA/irdma: Fix potential overflow expression in irdma_prm_get_pbles Tatyana Nikolova
2021-06-22 18:07   ` Jason Gunthorpe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210622175844.GE2371267@nvidia.com \
    --to=jgg@nvidia.com \
    --cc=dledford@redhat.com \
    --cc=keescook+coverity-bot@chromium.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=mustafa.ismail@intel.com \
    --cc=shiraz.saleem@intel.com \
    --cc=tatyana.e.nikolova@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox