From: Tristan Madani <tristmd@gmail.com>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>,
Zhu Yanjun <yanjun.zhu@linux.dev>,
Zhu Yanjun <zyjzyj2000@gmail.com>,
linux-rdma@vger.kernel.org
Subject: Re: [PATCH 0/2] RDMA/rxe: fix shared memory TOCTOU in receive path
Date: Tue, 19 May 2026 22:30:20 +0000 [thread overview]
Message-ID: <6a0ce47d.096dab79.284c84.5b30@mx.google.com> (raw)
In-Reply-To: <20260519150042.GL7702@ziepe.ca>
On Tue, 19 May 2026, Jason Gunthorpe wrote:
> Simple misbehave is one thing, but if userspace can hack the kernel
> and gain control of it through this shared memory then we have to fix
> it.
The non-SRQ receive path in check_resource() sets qp->resp.wqe
directly into the shared mmap buffer:
qp->resp.wqe = queue_head(qp->rq.queue, QUEUE_TYPE_FROM_CLIENT);
No copy, no validation of the WQE fields. Every subsequent access
to wqe->dma.num_sge, wqe->dma.sge[].lkey, and wqe->dma.sge[].addr
reads from memory that userspace can modify concurrently.
The concrete problem is in copy_data(), called via send_data_in().
It re-reads dma->num_sge from the shared buffer on every loop
iteration (the dma->cur_sge >= dma->num_sge bound check), and uses
sge->lkey for lookup_mr() and sge->addr to compute the iova for
rxe_mr_copy(). A concurrent thread can:
1. Increase num_sge: the sge pointer walks past the WQE's
allocated SGE slots into adjacent queue entries, and the
kernel acts on whatever lkey/addr/length values it finds
there -- all attacker-controlled through the same mmap.
2. Swap sge[].lkey between iterations: redirect the MR lookup
to a different memory region.
3. Modify sge[].addr: shift the write target within the
resolved MR.
The data being written is incoming packet payload (attacker-
controlled in loopback), direction is RXE_TO_MR_OBJ.
The SRQ path already handles this correctly: get_srq_wqe() copies
the WQE to kernel memory with memcpy() and validates num_sge
against max_sge before use. The comment there says "don't trust
user space data". The non-SRQ path has neither the copy nor the
validation.
The race window is not tight -- the shared pointer is set during
RESPST_CHK_RESOURCE and the fields are consumed across CHK_LENGTH
and EXECUTE before copy_data() runs.
I can provide a reproducer if that helps move the patches forward.
Tristan
next prev parent reply other threads:[~2026-05-19 22:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 21:50 [PATCH 0/2] RDMA/rxe: fix shared memory TOCTOU in receive path Tristan Madani
2026-05-18 21:50 ` [PATCH 1/2] RDMA/rxe: fix TOCTOU heap overflow in get_srq_wqe Tristan Madani
2026-05-18 21:50 ` [PATCH 2/2] RDMA/rxe: copy WQE to local buffer in non-SRQ receive path Tristan Madani
2026-05-19 2:03 ` [PATCH 0/2] RDMA/rxe: fix shared memory TOCTOU in " Zhu Yanjun
2026-05-19 14:56 ` Leon Romanovsky
2026-05-19 15:00 ` Jason Gunthorpe
2026-05-19 22:30 ` Tristan Madani [this message]
2026-05-20 0:07 ` Yanjun.Zhu
2026-05-20 12:03 ` Tristan Madani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a0ce47d.096dab79.284c84.5b30@mx.google.com \
--to=tristmd@gmail.com \
--cc=jgg@ziepe.ca \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=yanjun.zhu@linux.dev \
--cc=zyjzyj2000@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox