[PATCH] RDMA/siw: Set defined status for work completion with undefined status

public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] RDMA/siw: Set defined status for work completion with undefined status
@ 2022-11-15 17:07 Bernard Metzler
  2022-11-15 20:52 ` Jason Gunthorpe
  0 siblings, 1 reply; 2+ messages in thread
From: Bernard Metzler @ 2022-11-15 17:07 UTC (permalink / raw)
  To: linux-rdma; +Cc: jgg, leonro, Bernard Metzler, Dan Carpenter

A malicious user may write undefined values into memory mapped completion
queue elements status or opcode. Undefined status or opcode values will
result in out-of-bounds access to an array mapping siw internal
representation of opcode and status to RDMA core representation when
reaping CQ elements. While siw detects those undefined values,
it did not correctly set completion status to a defined value, thus
defeating the whole purpose of the check.

This bug leads to the following Smatch static checker warning:

	drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe()
	error: buffer overflow 'map_cqe_status' 10 <= 21

Fixes: bdf1da5df9da: ("RDMA/siw: Fix immediate work request flush to completion queue")
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
---
 drivers/infiniband/sw/siw/siw_cq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c
index acc7bcd538b5..403029de6b92 100644
--- a/drivers/infiniband/sw/siw/siw_cq.c
+++ b/drivers/infiniband/sw/siw/siw_cq.c
@@ -88,9 +88,9 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
 
 			if (opcode >= SIW_NUM_OPCODES) {
 				opcode = 0;
-				status = IB_WC_GENERAL_ERR;
+				status = SIW_WC_GENERAL_ERR;
 			} else if (status >= SIW_NUM_WC_STATUS) {
-				status = IB_WC_GENERAL_ERR;
+				status = SIW_WC_GENERAL_ERR;
 			}
 			wc->opcode = map_wc_opcode[opcode];
 			wc->status = map_cqe_status[status].ib;
-- 
2.32.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] RDMA/siw: Set defined status for work completion with undefined status
  2022-11-15 17:07 [PATCH] RDMA/siw: Set defined status for work completion with undefined status Bernard Metzler
@ 2022-11-15 20:52 ` Jason Gunthorpe
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2022-11-15 20:52 UTC (permalink / raw)
  To: Bernard Metzler; +Cc: linux-rdma, leonro, Dan Carpenter

On Tue, Nov 15, 2022 at 06:07:47PM +0100, Bernard Metzler wrote:
> A malicious user may write undefined values into memory mapped completion
> queue elements status or opcode. Undefined status or opcode values will
> result in out-of-bounds access to an array mapping siw internal
> representation of opcode and status to RDMA core representation when
> reaping CQ elements. While siw detects those undefined values,
> it did not correctly set completion status to a defined value, thus
> defeating the whole purpose of the check.
> 
> This bug leads to the following Smatch static checker warning:
> 
> 	drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe()
> 	error: buffer overflow 'map_cqe_status' 10 <= 21
> 
> Fixes: bdf1da5df9da: ("RDMA/siw: Fix immediate work request flush to completion queue")
> Reported-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
> ---
>  drivers/infiniband/sw/siw/siw_cq.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Applied to for-next, thanks

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-11-15 20:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-15 17:07 [PATCH] RDMA/siw: Set defined status for work completion with undefined status Bernard Metzler
2022-11-15 20:52 ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox