[BUG] librdmacm: Accessing out-of-bounds memory

public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed

* [BUG] librdmacm: Accessing out-of-bounds memory
@ 2026-04-07 13:14 Korb, Andreas
  2026-04-12 14:04 ` Leon Romanovsky
  0 siblings, 1 reply; 2+ messages in thread
From: Korb, Andreas @ 2026-04-07 13:14 UTC (permalink / raw)
  To: linux-rdma@vger.kernel.org

[-- Attachment #1: Type: text/plain, Size: 2308 bytes --]

The function `ds_init_ep` in librdmacm/rsocket.c may access memory via an object that is not allocated for this object.

Relevant lines from this function:

// (1): Prepare `struct rsocket` 
ds_set_qp_size(rs);
// (2): Allocation
rs->sbuf = calloc(rs->sq_size, RS_SNDLOWAT);
// (3): Copy pointer to rs->smsg_free
rs->smsg_free = (struct ds_smsg *) rs->sbuf;
// (4): Copy pointer to msg
msg = rs->smsg_free;
// (5): Write to msg->next
msg->next = NULL;

Within my podman container:
Before (1): rs->sq_size = rs->rq_size = 384
After (1): rs->sq_size = rs->rq_size = 0
Therefore, (2) does not reserve a buffer, but still returns a pointer which can be freed later, as described by man-page calloc(3p).
(5) writes data to the buffer allocated in (2). If no actual buffer is allocated, it overwrites arbitrary data, yielding undefined
behavior.

I found it by executing /usr/bin/udpong (without any arguments) with libscudo on an arm64 server with memory tagging enabled. It
immediately crashes with a segmentation fault, then. Without memory tagging, the bug stays undetected, and execution continues.
The code behavior described above also happens on x86-64, there it doesn't result in a crash and is silently ignored because of the
lack of MemoryTagging. Valgrind also detects this violation, however.

In summary:
The libc man-page states that if the allocated buffer size is 0, then either:
>        *  A null pointer shall be returned and errno may be set to an
>        implementation-defined value, or
>        *  A pointer to the allocated space shall be returned. The
>        application shall ensure that the pointer is not used to
>        access an object.

and the function `ds_init_ep` misses to ensure to work for the second case.

* Linux distribution and version
Debian Trixie (in podman container) 

* Linux kernel and version
Linux arm01 6.12.22+bpo-arm64 #1 SMP Debian 6.12.22-1~bpo12+1 (2025-04-25) aarch64 GNU/Linux

* InfiniBand hardware and firmware version
None available in podman container

* How to reproduce
As I'm assuming most people use x86_64 machines, this shows the bug with valrind:
podman run --rm -e DEBUGINFOD_URLS="https://debuginfod.debian.net" debian:trixie bash -lc 'apt-get update && apt-get install -y
valgrind rdmacm-utils debuginfod && valgrind /usr/bin/udpong' 

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 8022 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [BUG] librdmacm: Accessing out-of-bounds memory
  2026-04-07 13:14 [BUG] librdmacm: Accessing out-of-bounds memory Korb, Andreas
@ 2026-04-12 14:04 ` Leon Romanovsky
  0 siblings, 0 replies; 2+ messages in thread
From: Leon Romanovsky @ 2026-04-12 14:04 UTC (permalink / raw)
  To: Korb, Andreas; +Cc: linux-rdma@vger.kernel.org

On Tue, Apr 07, 2026 at 01:14:45PM +0000, Korb, Andreas wrote:
> The function `ds_init_ep` in librdmacm/rsocket.c may access memory via an object that is not allocated for this object.
> 
> Relevant lines from this function:
> 
> // (1): Prepare `struct rsocket` 
> ds_set_qp_size(rs);
> // (2): Allocation
> rs->sbuf = calloc(rs->sq_size, RS_SNDLOWAT);
> // (3): Copy pointer to rs->smsg_free
> rs->smsg_free = (struct ds_smsg *) rs->sbuf;
> // (4): Copy pointer to msg
> msg = rs->smsg_free;
> // (5): Write to msg->next
> msg->next = NULL;
> 
> Within my podman container:
> Before (1): rs->sq_size = rs->rq_size = 384
> After (1): rs->sq_size = rs->rq_size = 0
> Therefore, (2) does not reserve a buffer, but still returns a pointer which can be freed later, as described by man-page calloc(3p).
> (5) writes data to the buffer allocated in (2). If no actual buffer is allocated, it overwrites arbitrary data, yielding undefined
> behavior.
> 
> I found it by executing /usr/bin/udpong (without any arguments) with libscudo on an arm64 server with memory tagging enabled. It
> immediately crashes with a segmentation fault, then. Without memory tagging, the bug stays undetected, and execution continues.
> The code behavior described above also happens on x86-64, there it doesn't result in a crash and is silently ignored because of the
> lack of MemoryTagging. Valgrind also detects this violation, however.
> 
> In summary:
> The libc man-page states that if the allocated buffer size is 0, then either:
> >        *  A null pointer shall be returned and errno may be set to an
> >        implementation-defined value, or
> >        *  A pointer to the allocated space shall be returned. The
> >        application shall ensure that the pointer is not used to
> >        access an object.

Can you please provide a link to these sentences in the manual?

You provided invalid value as sq_size and rq_size. It is expected that
library won't work after that.

Thanks

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-12 14:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-07 13:14 [BUG] librdmacm: Accessing out-of-bounds memory Korb, Andreas
2026-04-12 14:04 ` Leon Romanovsky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox