Linux RDMA and InfiniBand development
 help / color / mirror / Atom feed
From: Dust Li <dust.li@linux.alibaba.com>
To: Bryam Vargas <hexlabsecurity@proton.me>
Cc: Wenjia Zhang <wenjia@linux.ibm.com>,
	"D . Wythe" <alibuda@linux.alibaba.com>,
	Sidraya Jayagond <sidraya@linux.ibm.com>,
	Eric Dumazet <edumazet@google.com>,
	"David S . Miller" <davem@davemloft.net>,
	Mahanta Jambigi <mjambigi@linux.ibm.com>,
	Wen Gu <guwen@linux.alibaba.com>, Simon Horman <horms@kernel.org>,
	Ursula Braun <ubraun@linux.ibm.com>,
	Stefan Raspl <raspl@linux.ibm.com>,
	Tony Lu <tonylu@linux.alibaba.com>,
	Paolo Abeni <pabeni@redhat.com>, Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-s390@vger.kernel.org,
	linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers
Date: Wed, 15 Jul 2026 00:18:42 +0800	[thread overview]
Message-ID: <alZhYh6TOvqH0T9s@linux.alibaba.com> (raw)
In-Reply-To: <20260711104315.82912-1-hexlabsecurity@proton.me>

On 2026-07-11 10:43:26, Bryam Vargas wrote:
>On Tue, 7 Jul 2026 17:29:04 +0800, Dust Li wrote:
>> Are you planning to land these clamps first, and then follow up with a
>> separate validate/abort series?
>
>Yes -- clamp series to net (Cc: stable), then the wire-boundary validate/abort to
>net-next, which is the split from your v3 review. If you'd rather have the
>validate/abort as the primary fix, or both in one series, say so and I'll
>restructure it.
>
>> Looking at your earlier A/B test, it simulates this logic in userspace to
>> demonstrate the bug, but it doesn't actually trigger the bug in our
>> current kernel.
>
>Right -- the earlier one replayed the smc_curs_diff/copy arithmetic over a kmalloc
>buffer. I built the end-to-end version: two AF_SMC sockets over the SMC-D loopback
>(dibs), CONFIG_SMC=m with KASAN, receive path unmodified. Only the sender's on-wire
>producer cursor is forged, modelling what a misbehaving peer sends:
>
>  cdc.prod.wrap = curs.wrap;
>  cdc.prod.count = curs.count;
>+ if (forge) {                 /* peer just bumps the wrap, count stays 0 */
>+     static u16 w;
>+     cdc.prod.wrap = ++w;
>+     cdc.prod.count = 0;
>+ }
>
>The client sends six 1-byte messages, the server recvs into a 2 MB buffer.
>rmb_desc->len = 65504; the three arms on 7.2-rc1:
>
>  honest (no forge)            recv 6        clean
>  forged, patch 2/3 clamp on   recv 65504    clean   (== rmb_desc->len)
>  forged, no clamp             recv 393024   KASAN
>
>In the last arm bytes_to_rcv reaches 6*len, so smc_rx_recvmsg()'s second wrap-around
>chunk (copylen - first_chunk = 393024 - 65504) is read from ring offset 0, past the
>RMB page:
>
>  BUG: KASAN: slab-use-after-free in _copy_to_iter
>  Read of size 327520 ... smc_rx_recvmsg <- smc_recvmsg <- __sys_recvfrom
>
>(use-after-free rather than out-of-bounds only because the over-read lands in a freed
>adjacent slab.) Happy to send the driver.
>
>> the security risk here doesn't seem high to me, since SMC is only meant to
>> be deployed in trusted environments.
>
>Agreed it's low urgency there. The reason I'd still keep the bound in stable: it's a
>peer-driven out-of-bounds read of kernel memory that a buggy, not only malicious,
>peer can hit, and the clamp never resets an honest connection. The stable tag is
>your call.
>
>> once this is actually triggered, it means the data we've been handing to
>> userspace is already wrong ... the connection should be terminated. So I
>> don't really see much value in merging the bound-clamp patches first.
>
>I'm not arguing against the abort -- a bad CDC means the connection can't be trusted
>and should go down, and that's the net-next work. Two points on it.
>
>The predicate has to test the accumulator, not the cursor. Every forged CDC here
>carries count == 0, which is in [0, rmb_desc->len), so it passes any per-cursor
>input check, including patch 1/3; only bytes_to_rcv goes out of range. A
>cursor-boundary abort wouldn't catch this vector.
>
>And placement: if the abort is queued (queue_work -> smc_conn_kill) after the
>atomic_add, a recvmsg() under lock_sock can still read the inflated accumulator in
>the window before teardown runs. A synchronous check that bails before the
>atomic_add avoids that, and so does the consumer clamp.
>
>If you'd prefer a single accumulator-abort in place of the -stable clamp, I'll
>respin it that way and run the same A/B.

Hi Bryam,

Thanks for the detailed explanation — I think you're right. To me the
key point here is that no matter how the peer misbehaves, we should
never let it cause a panic or memory corruption on our side.

So I think your current clamp can stay. In the net-next version we
can add the abort logic, and additionally, it would be best to emit a
warning log whenever the clamp detects an anomaly here.

Best regards, Dust


      reply	other threads:[~2026-07-14 16:18 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05  7:54 [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Bryam Vargas via B4 Relay
2026-07-05  7:54 ` [PATCH net v4 1/3] net/smc: bound the wire-controlled producer cursor to the RMB Bryam Vargas via B4 Relay
2026-07-14 16:19   ` Dust Li
2026-07-05  7:54 ` [PATCH net v4 2/3] net/smc: bound the receive length to the RMB in smc_rx_recvmsg() Bryam Vargas via B4 Relay
2026-07-14 16:20   ` Dust Li
2026-07-05  7:54 ` [PATCH net v4 3/3] net/smc: bound the send length to the send buffer in smc_tx_sendmsg() Bryam Vargas via B4 Relay
2026-07-14 16:20   ` Dust Li
2026-07-07  9:29 ` [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Dust Li
2026-07-11 10:43   ` Bryam Vargas
2026-07-14 16:18     ` Dust Li [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alZhYh6TOvqH0T9s@linux.alibaba.com \
    --to=dust.li@linux.alibaba.com \
    --cc=alibuda@linux.alibaba.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=guwen@linux.alibaba.com \
    --cc=hexlabsecurity@proton.me \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=mjambigi@linux.ibm.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=raspl@linux.ibm.com \
    --cc=sidraya@linux.ibm.com \
    --cc=tonylu@linux.alibaba.com \
    --cc=ubraun@linux.ibm.com \
    --cc=wenjia@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox