From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out30-118.freemail.mail.aliyun.com (out30-118.freemail.mail.aliyun.com [115.124.30.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C90783446C9; Thu, 18 Jun 2026 16:03:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.118 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781798604; cv=none; b=FYhyZ+HAtGxmUYO0zU7ivOGY64Fpydo5ogDm+cGrvEXhhSSqvlYxXBIIOatU8cgnVretE46PmULva6baeyPxtEy/l/8LKZ29MxwfMGaZWyU/DtEZ0nT7fe0Xz9+kJFgkfS0xANnhqn3Ii/KdyU7EiNPkewSuflq349/WY5nLxkk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781798604; c=relaxed/simple; bh=2fKCewmHDraKBYdD2hFnuHNGMxtXSmQnBm6eLyC1XOQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SOvB4DyjrpYLA+NPUAdNQ2s+1woFBi9tfQUQx0zvCoa4StfdguNs/ilry4V/qpMds8YQFQooQFsuILpLIvb20vtazua/jhVEb4r2eEgwLVEh7/vgXVwQK0Nd4J8H+3B4PIzKeRAhSe+SLw4+X5iiGy2deeAaX1HEBLLRA2U/rzs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=IHojqSEF; arc=none smtp.client-ip=115.124.30.118 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="IHojqSEF" DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1781798598; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; bh=gkqxdjTyrjDufw0wAGal9WNmShdcAlZ9wp5Pmo/sHyE=; b=IHojqSEFw9VNBvSPnGx4S5k6h0UAbjV5s3Xb7zTFZsFHBz3LEr5y6T0kNe8lSveaeiDo2BnoorM/O1xn6fNyyS8x/NH+EnmAJOiqVL/dGAyK0zYVkd3IlDBgGCLT3AEfvt6/6docOG6BxSXa1cZYI7HAA73P3HYA0OoqJ+s4Des= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R811e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam011083073210;MF=dust.li@linux.alibaba.com;NM=1;PH=DS;RN=18;SR=0;TI=SMTPD_---0X57Pyhp_1781798597; Received: from localhost(mailfrom:dust.li@linux.alibaba.com fp:SMTPD_---0X57Pyhp_1781798597 cluster:ay36) by smtp.aliyun-inc.com; Fri, 19 Jun 2026 00:03:17 +0800 Date: Fri, 19 Jun 2026 00:03:17 +0800 From: Dust Li To: hexlabsecurity@proton.me, Wenjia Zhang , "D. Wythe" , Sidraya Jayagond Cc: Eric Dumazet , "David S. Miller" , Mahanta Jambigi , Wen Gu , Simon Horman , netdev@vger.kernel.org, Ursula Braun , Stefan Raspl , linux-s390@vger.kernel.org, Paolo Abeni , linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, Jakub Kicinski , Tony Lu Subject: Re: [PATCH v3 2/3] net/smc: bound the receive length to the RMB in smc_rx_recvmsg() Message-ID: Reply-To: dust.li@linux.alibaba.com References: <20260614-b4-disp-edd64be9-v3-0-551fa514257e@proton.me> <20260614-b4-disp-edd64be9-v3-2-551fa514257e@proton.me> Precedence: bulk X-Mailing-List: linux-rdma@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260614-b4-disp-edd64be9-v3-2-551fa514257e@proton.me> On 2026-06-14 03:23:31, Bryam Vargas via B4 Relay wrote: >From: Bryam Vargas > >conn->bytes_to_rcv is accumulated in the receive tasklet from the peer's >producer cursor: > > diff_prod = smc_curs_diff(rmb_desc->len, &prod_old, &prod_new); > atomic_add(diff_prod, &conn->bytes_to_rcv); > >smc_curs_diff()'s differing-wrap branch returns (size - old.count) + >new.count, which exceeds rmb_desc->len for a forged producer cursor and >accumulates across CDC messages, so bytes_to_rcv can grow past the RMB >(and across many messages can overflow the signed counter negative). >smc_rx_recvmsg() reads it as the number of readable bytes and performs a >wrap-around copy whose second chunk (copylen - first_chunk, read from >ring offset 0) is never re-bounded to rmb_desc->len, reading past the >RMB into adjacent kernel memory and disclosing it to the peer. Hi Bryam, Once we validate the CDC message at the input boundary (as in the previous patch), bytes_to_rcv can never exceed rmb_desc->len, so this check becomes unreachable. So I don't think this patch is needed. Best regards, Dust > >Bound the readable count to rmb_desc->len where it is consumed, treating >a negative (sign-overflowed) value as out of range too, so the copy >length can never exceed the ring. This enforces the documented >0 <= bytes_to_rcv <= rmb_desc->len invariant at the consumer, where it >is race-free against the producer update that runs in the receive >tasklet. > >Fixes: 952310ccf2d8 ("smc: receive data from RMBE") >Cc: stable@vger.kernel.org >Signed-off-by: Bryam Vargas >--- > net/smc/smc_rx.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c >index c1d9b923938d..f461cf10b085 100644 >--- a/net/smc/smc_rx.c >+++ b/net/smc/smc_rx.c >@@ -442,6 +442,18 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, > /* initialize variables for 1st iteration of subsequent loop */ > /* could be just 1 byte, even after waiting on data above */ > readable = smc_rx_data_available(conn, peeked_bytes); >+ /* bytes_to_rcv is accumulated from the peer's wire-controlled >+ * producer cursor; a forged cursor can drive it past the RMB, >+ * or overflow the signed accumulator to a negative value across >+ * many CDC messages (which a plain "> len" check would miss >+ * before the size_t cast below turns it huge). Bound it to the >+ * RMB in either case so the wrap-around copy cannot run past >+ * rmb_desc->len. This enforces the documented >+ * 0 <= bytes_to_rcv <= rmb_desc->len invariant at the consumer, >+ * race-free against the producer update in the receive tasklet. >+ */ >+ if (readable < 0 || readable > conn->rmb_desc->len) >+ readable = conn->rmb_desc->len; > splbytes = atomic_read(&conn->splice_pending); > if (!readable || (msg && splbytes)) { > if (splbytes) > >-- >2.43.0 >