* [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
@ 2026-06-08 13:47 Aurelien DESBRIERES
2026-06-08 14:21 ` Haris Iqbal
2026-06-08 18:27 ` Jason Gunthorpe
0 siblings, 2 replies; 3+ messages in thread
From: Aurelien DESBRIERES @ 2026-06-08 13:47 UTC (permalink / raw)
To: linux-rdma
Cc: jgg, leon, haris.iqbal, jinpu.wang, gregkh, Aurelien DESBRIERES
usr_len is read from a network-supplied message field (le16_to_cpu)
and used to compute data_len = off - usr_len without validating that
usr_len <= off. A malicious RDMA client can send usr_len > off causing
an integer underflow, resulting in data_len wrapping to a huge size_t
value which is then passed to the rdma_ev callback as a memory length,
leading to out-of-bounds memory access.
Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
in both process_read() and process_write(), ensuring the early return
path acquires no reference and has no resource leak.
Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp>
Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
Assisted-by: Claude <claude-sonnet-4-6>
---
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
index 6482ad859..f2fd80c8a 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
@@ -1059,6 +1059,11 @@ static void process_read(struct rtrs_srv_con *con,
"Processing read request failed, invalid message\n");
return;
}
+ usr_len = le16_to_cpu(msg->usr_len);
+ if (usr_len > off) {
+ pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
+ return;
+ }
rtrs_srv_get_ops_ids(srv_path);
rtrs_srv_update_rdma_stats(srv_path->stats, off, READ);
id = srv_path->ops_ids[buf_id];
@@ -1066,7 +1071,6 @@ static void process_read(struct rtrs_srv_con *con,
id->dir = READ;
id->msg_id = buf_id;
id->rd_msg = msg;
- usr_len = le16_to_cpu(msg->usr_len);
data_len = off - usr_len;
data = page_address(srv->chunks[buf_id]);
ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
@@ -1112,6 +1116,11 @@ static void process_write(struct rtrs_srv_con *con,
rtrs_srv_state_str(srv_path->state));
return;
}
+ usr_len = le16_to_cpu(req->usr_len);
+ if (usr_len > off) {
+ pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
+ return;
+ }
rtrs_srv_get_ops_ids(srv_path);
rtrs_srv_update_rdma_stats(srv_path->stats, off, WRITE);
id = srv_path->ops_ids[buf_id];
@@ -1119,7 +1128,6 @@ static void process_write(struct rtrs_srv_con *con,
id->dir = WRITE;
id->msg_id = buf_id;
- usr_len = le16_to_cpu(req->usr_len);
data_len = off - usr_len;
data = page_address(srv->chunks[buf_id]);
ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
2026-06-08 13:47 [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write Aurelien DESBRIERES
@ 2026-06-08 14:21 ` Haris Iqbal
2026-06-08 18:27 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Haris Iqbal @ 2026-06-08 14:21 UTC (permalink / raw)
To: Aurelien DESBRIERES; +Cc: linux-rdma, jgg, leon, jinpu.wang, gregkh
On Mon, Jun 8, 2026 at 3:48 PM Aurelien DESBRIERES
<aurelien@hackers.camp> wrote:
>
> usr_len is read from a network-supplied message field (le16_to_cpu)
> and used to compute data_len = off - usr_len without validating that
> usr_len <= off. A malicious RDMA client can send usr_len > off causing
> an integer underflow, resulting in data_len wrapping to a huge size_t
> value which is then passed to the rdma_ev callback as a memory length,
> leading to out-of-bounds memory access.
>
> Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
> in both process_read() and process_write(), ensuring the early return
> path acquires no reference and has no resource leak.
>
> Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Assisted-by: Claude <claude-sonnet-4-6>
Acked-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> index 6482ad859..f2fd80c8a 100644
> --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> @@ -1059,6 +1059,11 @@ static void process_read(struct rtrs_srv_con *con,
> "Processing read request failed, invalid message\n");
> return;
> }
> + usr_len = le16_to_cpu(msg->usr_len);
> + if (usr_len > off) {
> + pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
> + return;
> + }
> rtrs_srv_get_ops_ids(srv_path);
> rtrs_srv_update_rdma_stats(srv_path->stats, off, READ);
> id = srv_path->ops_ids[buf_id];
> @@ -1066,7 +1071,6 @@ static void process_read(struct rtrs_srv_con *con,
> id->dir = READ;
> id->msg_id = buf_id;
> id->rd_msg = msg;
> - usr_len = le16_to_cpu(msg->usr_len);
> data_len = off - usr_len;
> data = page_address(srv->chunks[buf_id]);
> ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
> @@ -1112,6 +1116,11 @@ static void process_write(struct rtrs_srv_con *con,
> rtrs_srv_state_str(srv_path->state));
> return;
> }
> + usr_len = le16_to_cpu(req->usr_len);
> + if (usr_len > off) {
> + pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
> + return;
> + }
> rtrs_srv_get_ops_ids(srv_path);
> rtrs_srv_update_rdma_stats(srv_path->stats, off, WRITE);
> id = srv_path->ops_ids[buf_id];
> @@ -1119,7 +1128,6 @@ static void process_write(struct rtrs_srv_con *con,
> id->dir = WRITE;
> id->msg_id = buf_id;
>
> - usr_len = le16_to_cpu(req->usr_len);
> data_len = off - usr_len;
> data = page_address(srv->chunks[buf_id]);
> ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
2026-06-08 13:47 [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write Aurelien DESBRIERES
2026-06-08 14:21 ` Haris Iqbal
@ 2026-06-08 18:27 ` Jason Gunthorpe
1 sibling, 0 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2026-06-08 18:27 UTC (permalink / raw)
To: Aurelien DESBRIERES; +Cc: linux-rdma, leon, haris.iqbal, jinpu.wang, gregkh
On Mon, Jun 08, 2026 at 03:47:15PM +0200, Aurelien DESBRIERES wrote:
> usr_len is read from a network-supplied message field (le16_to_cpu)
> and used to compute data_len = off - usr_len without validating that
> usr_len <= off. A malicious RDMA client can send usr_len > off causing
> an integer underflow, resulting in data_len wrapping to a huge size_t
> value which is then passed to the rdma_ev callback as a memory length,
> leading to out-of-bounds memory access.
>
> Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
> in both process_read() and process_write(), ensuring the early return
> path acquires no reference and has no resource leak.
>
> Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Assisted-by: Claude <claude-sonnet-4-6>
> Acked-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> ---
> drivers/infiniband/ulp/rtrs/rtrs-srv.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
Applied, thanks
Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-08 18:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08 13:47 [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write Aurelien DESBRIERES
2026-06-08 14:21 ` Haris Iqbal
2026-06-08 18:27 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox