[PATCH] net/smc: bound sndbuf_space on the SMC-D DMB-merge receive path

Netdev List
 help / color / mirror / Atom feed

From: Bryam Vargas <hexlabsecurity@proton.me>
To: "D . Wythe" <alibuda@linux.alibaba.com>,
	Dust Li <dust.li@linux.alibaba.com>,
	Sidraya Jayagond <sidraya@linux.ibm.com>,
	Wenjia Zhang <wenjia@linux.ibm.com>
Cc: Mahanta Jambigi <mjambigi@linux.ibm.com>,
	Tony Lu <tonylu@linux.alibaba.com>,
	Wen Gu <guwen@linux.alibaba.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] net/smc: bound sndbuf_space on the SMC-D DMB-merge receive path
Date: Wed, 10 Jun 2026 09:09:36 +0000	[thread overview]
Message-ID: <20260610090928.192177-1-hexlabsecurity@proton.me> (raw)

When the SMC-D send buffer is merged with the peer's DMB (the nocopy
DMB-merge path), smc_cdc_msg_recv_action() advances the local send-buffer
free space from the peer's consumer cursor:

	diff_tx = smc_curs_diff(conn->sndbuf_desc->len,
				&conn->tx_curs_fin,
				&conn->local_rx_ctrl.cons);
	atomic_add(diff_tx, &conn->sndbuf_space);

conn->local_rx_ctrl.cons is the peer's consumer cursor, copied verbatim
from the wire by smcd_cdc_msg_to_host() with no validation.
smc_curs_diff()'s differing-wrap branch returns
(size - old.count) + new.count, which exceeds size for a forged cursor,
so a malicious peer can drive sndbuf_space past sndbuf_desc->len. The
"guarantee 0 <= sndbuf_space <= sndbuf_desc->len" comment on the
atomic_add() is not enforced.

smc_tx_sendmsg() then reads the inflated sndbuf_space as the available
write space and copies that many user bytes into the send buffer; its
two-chunk wrap-around copy bounds only the first chunk to
sndbuf_desc->len, so the second chunk (copylen - first_chunk, written at
offset 0) runs past the send buffer -- a heap out-of-bounds write of
attacker-influenced length with user-controlled content.

Enforce the documented invariant after the cursor-driven atomic_add(), as
the SMC-D receive path already does for bytes_to_rcv.

Fixes: cc0ab806fc52 ("net/smc: adapt cursor update when sndbuf and peer DMB are merged")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
The out-of-bounds write was reproduced under KASAN by driving
smc_tx_sendmsg()'s two-chunk send-ring copy with an inflated sndbuf_space
(slab-out-of-bounds Write); with the clamp the same input keeps the copy
within sndbuf_desc->len. The DMB-merge/nocopy path that lets a peer
consumer cursor inflate sndbuf_space is reachable with the in-kernel
loopback-ism (CONFIG_SMC_LO), which advertises dmb_nocopy, on commodity
x86 -- no special hardware is required to exercise it.

 net/smc/smc_cdc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
index 619b3bab3824..cf8d65407ea5 100644
--- a/net/smc/smc_cdc.c
+++ b/net/smc/smc_cdc.c
@@ -365,6 +365,10 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
 			smp_mb__before_atomic();
 			atomic_add(diff_tx, &conn->sndbuf_space);
 			/* guarantee 0 <= sndbuf_space <= sndbuf_desc->len */
+			if (atomic_read(&conn->sndbuf_space) >
+			    conn->sndbuf_desc->len)
+				atomic_set(&conn->sndbuf_space,
+					   conn->sndbuf_desc->len);
 			smp_mb__after_atomic();
 			smc_curs_copy(&conn->tx_curs_fin,
 				      &conn->local_rx_ctrl.cons, conn);
-- 
2.43.0

                 reply	other threads:[~2026-06-10  9:09 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:619b3bab382 dfblob:cf8d65407ea )
 OR (
bs:"[PATCH] net/smc: bound sndbuf_space on the SMC-D DMB-merge receive path" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260610090928.192177-1-hexlabsecurity@proton.me \
    --to=hexlabsecurity@proton.me \
    --cc=alibuda@linux.alibaba.com \
    --cc=davem@davemloft.net \
    --cc=dust.li@linux.alibaba.com \
    --cc=edumazet@google.com \
    --cc=guwen@linux.alibaba.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=mjambigi@linux.ibm.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sidraya@linux.ibm.com \
    --cc=tonylu@linux.alibaba.com \
    --cc=wenjia@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox