From: Dust Li <dust.li@linux.alibaba.com>
To: hexlabsecurity@proton.me, "David S. Miller" <davem@davemloft.net>,
Sidraya Jayagond <sidraya@linux.ibm.com>,
Eric Dumazet <edumazet@google.com>,
"D. Wythe" <alibuda@linux.alibaba.com>,
Jakub Kicinski <kuba@kernel.org>, Simon Horman <horms@kernel.org>,
Wenjia Zhang <wenjia@linux.ibm.com>,
Paolo Abeni <pabeni@redhat.com>
Cc: Stefan Raspl <raspl@linux.ibm.com>,
Wen Gu <guwen@linux.alibaba.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
Mahanta Jambigi <mjambigi@linux.ibm.com>,
Tony Lu <tonylu@linux.alibaba.com>,
Ursula Braun <ubraun@linux.ibm.com>,
linux-s390@vger.kernel.org, linux-rdma@vger.kernel.org
Subject: Re: [PATCH net v4 2/3] net/smc: bound the receive length to the RMB in smc_rx_recvmsg()
Date: Wed, 15 Jul 2026 00:20:27 +0800 [thread overview]
Message-ID: <alZhy6kQIw5NcnZe@linux.alibaba.com> (raw)
In-Reply-To: <20260705-b4-disp-28a1bbca-v4-2-be089b98acc6@proton.me>
On 2026-07-05 02:54:06, Bryam Vargas via B4 Relay wrote:
>From: Bryam Vargas <hexlabsecurity@proton.me>
>
>conn->bytes_to_rcv is accumulated in the receive tasklet from the
>peer's wire-controlled producer cursor via smc_curs_diff(), whose
>differing-wrap branch can exceed rmb_desc->len; a forged cursor drives
>bytes_to_rcv past the RMB, and over many CDC messages overflows the
>signed counter negative. smc_rx_recvmsg() reads it as the readable
>length and does a wrap-around copy whose second chunk is not re-bounded
>to rmb_desc->len, reading past the RMB into adjacent kernel memory and
>disclosing it to the peer. The nearby readable >= rmb_desc->len test
>only feeds SMC_STAT_RMB_RX_FULL on a separate earlier read; it does not
>bound the copy.
>
>Bound the readable length to rmb_desc->len at the consumer, treating a
>negative (sign-overflowed) value as out of range too, so the copy can
>never exceed the ring. This enforces the documented
>0 <= bytes_to_rcv <= rmb_desc->len invariant where it is race-free
>against the producer update in the tasklet; conforming peers are
>unaffected.
>
>Fixes: 952310ccf2d8 ("smc: receive data from RMBE")
>Cc: stable@vger.kernel.org
>Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Best regards,
Dust
>---
> net/smc/smc_rx.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
>diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c
>index c1d9b923938d..f461cf10b085 100644
>--- a/net/smc/smc_rx.c
>+++ b/net/smc/smc_rx.c
>@@ -442,6 +442,18 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
> /* initialize variables for 1st iteration of subsequent loop */
> /* could be just 1 byte, even after waiting on data above */
> readable = smc_rx_data_available(conn, peeked_bytes);
>+ /* bytes_to_rcv is accumulated from the peer's wire-controlled
>+ * producer cursor; a forged cursor can drive it past the RMB,
>+ * or overflow the signed accumulator to a negative value across
>+ * many CDC messages (which a plain "> len" check would miss
>+ * before the size_t cast below turns it huge). Bound it to the
>+ * RMB in either case so the wrap-around copy cannot run past
>+ * rmb_desc->len. This enforces the documented
>+ * 0 <= bytes_to_rcv <= rmb_desc->len invariant at the consumer,
>+ * race-free against the producer update in the receive tasklet.
>+ */
>+ if (readable < 0 || readable > conn->rmb_desc->len)
>+ readable = conn->rmb_desc->len;
> splbytes = atomic_read(&conn->splice_pending);
> if (!readable || (msg && splbytes)) {
> if (splbytes)
>
>--
>2.43.0
>
next prev parent reply other threads:[~2026-07-14 16:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 7:54 [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Bryam Vargas via B4 Relay
2026-07-05 7:54 ` [PATCH net v4 1/3] net/smc: bound the wire-controlled producer cursor to the RMB Bryam Vargas via B4 Relay
2026-07-06 7:54 ` sashiko-bot
2026-07-14 16:19 ` Dust Li
2026-07-05 7:54 ` [PATCH net v4 2/3] net/smc: bound the receive length to the RMB in smc_rx_recvmsg() Bryam Vargas via B4 Relay
2026-07-06 7:54 ` sashiko-bot
2026-07-14 16:20 ` Dust Li [this message]
2026-07-05 7:54 ` [PATCH net v4 3/3] net/smc: bound the send length to the send buffer in smc_tx_sendmsg() Bryam Vargas via B4 Relay
2026-07-06 7:54 ` sashiko-bot
2026-07-14 16:20 ` Dust Li
2026-07-07 9:29 ` [PATCH net v4 0/3] net/smc: bound wire-controlled CDC cursors against the local buffers Dust Li
2026-07-11 10:43 ` Bryam Vargas
2026-07-14 16:18 ` Dust Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alZhy6kQIw5NcnZe@linux.alibaba.com \
--to=dust.li@linux.alibaba.com \
--cc=alibuda@linux.alibaba.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=guwen@linux.alibaba.com \
--cc=hexlabsecurity@proton.me \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjambigi@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raspl@linux.ibm.com \
--cc=sidraya@linux.ibm.com \
--cc=tonylu@linux.alibaba.com \
--cc=ubraun@linux.ibm.com \
--cc=wenjia@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox