[PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process

Linux RDMA and InfiniBand development
 help / color / mirror / Atom feed

* [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
@ 2026-06-08 13:47 Aurelien DESBRIERES
  2026-06-08 14:21 ` Haris Iqbal
  2026-06-08 18:27 ` Jason Gunthorpe
  0 siblings, 2 replies; 3+ messages in thread
From: Aurelien DESBRIERES @ 2026-06-08 13:47 UTC (permalink / raw)
  To: linux-rdma
  Cc: jgg, leon, haris.iqbal, jinpu.wang, gregkh, Aurelien DESBRIERES

usr_len is read from a network-supplied message field (le16_to_cpu)
and used to compute data_len = off - usr_len without validating that
usr_len <= off. A malicious RDMA client can send usr_len > off causing
an integer underflow, resulting in data_len wrapping to a huge size_t
value which is then passed to the rdma_ev callback as a memory length,
leading to out-of-bounds memory access.

Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
in both process_read() and process_write(), ensuring the early return
path acquires no reference and has no resource leak.

Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp>
Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
Assisted-by: Claude <claude-sonnet-4-6>
---
 drivers/infiniband/ulp/rtrs/rtrs-srv.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
index 6482ad859..f2fd80c8a 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
@@ -1059,6 +1059,11 @@ static void process_read(struct rtrs_srv_con *con,
 			    "Processing read request failed, invalid message\n");
 		return;
 	}
+	usr_len = le16_to_cpu(msg->usr_len);
+	if (usr_len > off) {
+		pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
+		return;
+	}
 	rtrs_srv_get_ops_ids(srv_path);
 	rtrs_srv_update_rdma_stats(srv_path->stats, off, READ);
 	id = srv_path->ops_ids[buf_id];
@@ -1066,7 +1071,6 @@ static void process_read(struct rtrs_srv_con *con,
 	id->dir		= READ;
 	id->msg_id	= buf_id;
 	id->rd_msg	= msg;
-	usr_len = le16_to_cpu(msg->usr_len);
 	data_len = off - usr_len;
 	data = page_address(srv->chunks[buf_id]);
 	ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
@@ -1112,6 +1116,11 @@ static void process_write(struct rtrs_srv_con *con,
 			     rtrs_srv_state_str(srv_path->state));
 		return;
 	}
+	usr_len = le16_to_cpu(req->usr_len);
+	if (usr_len > off) {
+		pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
+		return;
+	}
 	rtrs_srv_get_ops_ids(srv_path);
 	rtrs_srv_update_rdma_stats(srv_path->stats, off, WRITE);
 	id = srv_path->ops_ids[buf_id];
@@ -1119,7 +1128,6 @@ static void process_write(struct rtrs_srv_con *con,
 	id->dir    = WRITE;
 	id->msg_id = buf_id;
 
-	usr_len = le16_to_cpu(req->usr_len);
 	data_len = off - usr_len;
 	data = page_address(srv->chunks[buf_id]);
 	ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
  2026-06-08 13:47 [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write Aurelien DESBRIERES
@ 2026-06-08 14:21 ` Haris Iqbal
  2026-06-08 18:27 ` Jason Gunthorpe
  1 sibling, 0 replies; 3+ messages in thread
From: Haris Iqbal @ 2026-06-08 14:21 UTC (permalink / raw)
  To: Aurelien DESBRIERES; +Cc: linux-rdma, jgg, leon, jinpu.wang, gregkh

On Mon, Jun 8, 2026 at 3:48 PM Aurelien DESBRIERES
<aurelien@hackers.camp> wrote:
>
> usr_len is read from a network-supplied message field (le16_to_cpu)
> and used to compute data_len = off - usr_len without validating that
> usr_len <= off. A malicious RDMA client can send usr_len > off causing
> an integer underflow, resulting in data_len wrapping to a huge size_t
> value which is then passed to the rdma_ev callback as a memory length,
> leading to out-of-bounds memory access.
>
> Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
> in both process_read() and process_write(), ensuring the early return
> path acquires no reference and has no resource leak.
>
> Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Assisted-by: Claude <claude-sonnet-4-6>

Acked-by: Md Haris Iqbal <haris.iqbal@ionos.com>

> ---
>  drivers/infiniband/ulp/rtrs/rtrs-srv.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> index 6482ad859..f2fd80c8a 100644
> --- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> +++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
> @@ -1059,6 +1059,11 @@ static void process_read(struct rtrs_srv_con *con,
>                             "Processing read request failed, invalid message\n");
>                 return;
>         }
> +       usr_len = le16_to_cpu(msg->usr_len);
> +       if (usr_len > off) {
> +               pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
> +               return;
> +       }
>         rtrs_srv_get_ops_ids(srv_path);
>         rtrs_srv_update_rdma_stats(srv_path->stats, off, READ);
>         id = srv_path->ops_ids[buf_id];
> @@ -1066,7 +1071,6 @@ static void process_read(struct rtrs_srv_con *con,
>         id->dir         = READ;
>         id->msg_id      = buf_id;
>         id->rd_msg      = msg;
> -       usr_len = le16_to_cpu(msg->usr_len);
>         data_len = off - usr_len;
>         data = page_address(srv->chunks[buf_id]);
>         ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
> @@ -1112,6 +1116,11 @@ static void process_write(struct rtrs_srv_con *con,
>                              rtrs_srv_state_str(srv_path->state));
>                 return;
>         }
> +       usr_len = le16_to_cpu(req->usr_len);
> +       if (usr_len > off) {
> +               pr_debug("rtrs-srv: Invalid usr_len %zu > off %u\n", usr_len, off);
> +               return;
> +       }
>         rtrs_srv_get_ops_ids(srv_path);
>         rtrs_srv_update_rdma_stats(srv_path->stats, off, WRITE);
>         id = srv_path->ops_ids[buf_id];
> @@ -1119,7 +1128,6 @@ static void process_write(struct rtrs_srv_con *con,
>         id->dir    = WRITE;
>         id->msg_id = buf_id;
>
> -       usr_len = le16_to_cpu(req->usr_len);
>         data_len = off - usr_len;
>         data = page_address(srv->chunks[buf_id]);
>         ret = ctx->ops.rdma_ev(srv->priv, id, data, data_len,
> --
> 2.43.0
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write
  2026-06-08 13:47 [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write Aurelien DESBRIERES
  2026-06-08 14:21 ` Haris Iqbal
@ 2026-06-08 18:27 ` Jason Gunthorpe
  1 sibling, 0 replies; 3+ messages in thread
From: Jason Gunthorpe @ 2026-06-08 18:27 UTC (permalink / raw)
  To: Aurelien DESBRIERES; +Cc: linux-rdma, leon, haris.iqbal, jinpu.wang, gregkh

On Mon, Jun 08, 2026 at 03:47:15PM +0200, Aurelien DESBRIERES wrote:
> usr_len is read from a network-supplied message field (le16_to_cpu)
> and used to compute data_len = off - usr_len without validating that
> usr_len <= off. A malicious RDMA client can send usr_len > off causing
> an integer underflow, resulting in data_len wrapping to a huge size_t
> value which is then passed to the rdma_ev callback as a memory length,
> leading to out-of-bounds memory access.
> 
> Fix by reading and validating usr_len <= off before rtrs_srv_get_ops_ids()
> in both process_read() and process_write(), ensuring the early return
> path acquires no reference and has no resource leak.
> 
> Reported-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Reviewed-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
> Assisted-by: Claude <claude-sonnet-4-6>
> Acked-by: Md Haris Iqbal <haris.iqbal@ionos.com>
> ---
>  drivers/infiniband/ulp/rtrs/rtrs-srv.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)

Applied, thanks

Jason

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-08 18:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08 13:47 [PATCH] RDMA/rtrs-srv: Fix integer underflow in process_read and process_write Aurelien DESBRIERES
2026-06-08 14:21 ` Haris Iqbal
2026-06-08 18:27 ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox