Re: [BUG] libibverbs: ibv_create_qp crashes when recv_cq=NULL (expected EINVAL)

public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed

From: Leon Romanovsky <leon@kernel.org>
To: Yi Liu <asatsuyu.liu@gmail.com>
Cc: linux-rdma@vger.kernel.org
Subject: Re: [BUG] libibverbs: ibv_create_qp crashes when recv_cq=NULL (expected EINVAL)
Date: Tue, 16 Sep 2025 09:52:31 +0300	[thread overview]
Message-ID: <20250916065231.GA82444@unreal> (raw)
In-Reply-To: <CANQ=Xi0iVdA=KR89vEfJQjVzkyRoMhmNm4er8iSwNum8oVuGhA@mail.gmail.com>

On Mon, Sep 15, 2025 at 11:44:07AM +0800, Yi Liu wrote:
> Hi RDMA maintainers,
> 
> I would like to report a robustness issue in libibverbs (rdma-core).
> 
> **Environment:**
> - Distro: Ubuntu 22.04 (kernel 6.8.0-65-generic)
> - rdma-core version: 39.0-1
> - libibverbs version: 39.0-1 (package: libibverbs1:amd64)
> - Provider: rxe
> - Reproduced with both gdb and ASan
> 
> **Problem description:**
> When calling `ibv_create_qp()` with `attr.recv_cq = NULL` (while
> qp_type=IBV_QPT_RC),
> the process crashes inside `ibv_icmd_create_qp()` due to an unconditional
> dereference of `attr_ex->recv_cq->handle`.
> Instead of returning `-1` with `errno = EINVAL`, libibverbs causes a
> segmentation fault.

Garbage as an input -> garbage as an output.
It is perfectly valid to crash application if wrong input was provided
to the library.

<...>

> 
> **Security consideration**:
> This is primarily a robustness bug. In environments where applications may be
> driven by untrusted inputs (e.g. fuzzing frameworks, multi-tenant clusters),
> it could be considered a denial-of-service vulnerability.
> Please advise whether this should be treated as CVE-worthy or just a
> robustness fix.

No, there is nothing CVE related here. It is not even a bug.

Thanks

> 
> Thanks for your attention!
> 
> Best regards,
> 
> Yi Liu
>

     prev parent reply	other threads:[~2025-09-16  6:52 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-15  3:44 [BUG] libibverbs: ibv_create_qp crashes when recv_cq=NULL (expected EINVAL) Yi Liu
2025-09-16  6:52 ` Leon Romanovsky [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250916065231.GA82444@unreal \
    --to=leon@kernel.org \
    --cc=asatsuyu.liu@gmail.com \
    --cc=linux-rdma@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox