Netdev List
 help / color / mirror / Atom feed
* [PATCH net] dibs: loopback: validate offset and size in move_data()
@ 2026-07-07  7:43 Dust Li
  2026-07-07 14:31 ` Dust Li
  0 siblings, 1 reply; 3+ messages in thread
From: Dust Li @ 2026-07-07  7:43 UTC (permalink / raw)
  To: Alexandra Winter
  Cc: Wenjia Zhang, Wen Gu, Paolo Abeni, Mahanta Jambigi, D . Wythe,
	Sidraya Jayagond, netdev, linux-kernel, stable,
	Federico Kirschbaum

The loopback move_data() performs a memcpy into the registered DMB
without checking whether offset + size exceeds the DMB length.  Unlike
real ISM hardware, which enforces memory region bounds natively, the
software loopback has no such protection.

A peer-supplied out-of-bounds offset or oversized write would result in
an OOB write past the allocated kernel buffer.  Add an explicit bounds
check before the memcpy to reject such requests with -EINVAL.

Fixes: f7a22071dbf3("net/smc: implement DMB-related operations of loopback-ism")
Cc: stable@vger.kernel.org
Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
---
 drivers/dibs/dibs_loopback.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/dibs/dibs_loopback.c b/drivers/dibs/dibs_loopback.c
index ec3b48cb0e87..0f2e09311152 100644
--- a/drivers/dibs/dibs_loopback.c
+++ b/drivers/dibs/dibs_loopback.c
@@ -254,6 +254,11 @@ static int dibs_lo_move_data(struct dibs_dev *dibs, u64 dmb_tok,
 		read_unlock_bh(&ldev->dmb_ht_lock);
 		return -EINVAL;
 	}
+	if ((u64)offset + size > rmb_node->len) {
+		read_unlock_bh(&ldev->dmb_ht_lock);
+		return -EINVAL;
+	}
+
 	memcpy((char *)rmb_node->cpu_addr + offset, data, size);
 	sba_idx = rmb_node->sba_idx;
 	read_unlock_bh(&ldev->dmb_ht_lock);
-- 
2.43.7


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] dibs: loopback: validate offset and size in move_data()
  2026-07-07  7:43 [PATCH net] dibs: loopback: validate offset and size in move_data() Dust Li
@ 2026-07-07 14:31 ` Dust Li
  2026-07-07 18:31   ` Andrew Lunn
  0 siblings, 1 reply; 3+ messages in thread
From: Dust Li @ 2026-07-07 14:31 UTC (permalink / raw)
  To: Alexandra Winter
  Cc: Wenjia Zhang, Wen Gu, Paolo Abeni, Mahanta Jambigi, D . Wythe,
	Sidraya Jayagond, netdev, linux-kernel, stable,
	Federico Kirschbaum

On 2026-07-07 15:43:18, Dust Li wrote:
>The loopback move_data() performs a memcpy into the registered DMB
>without checking whether offset + size exceeds the DMB length.  Unlike
>real ISM hardware, which enforces memory region bounds natively, the
>software loopback has no such protection.
>
>A peer-supplied out-of-bounds offset or oversized write would result in
>an OOB write past the allocated kernel buffer.  Add an explicit bounds
>check before the memcpy to reject such requests with -EINVAL.
>
>Fixes: f7a22071dbf3("net/smc: implement DMB-related operations of loopback-ism")
>Cc: stable@vger.kernel.org
>Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>

Reported-by: Baul Lee <baul.lee@xbow.com>

Best regards,
Dust

>Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
>---
> drivers/dibs/dibs_loopback.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
>diff --git a/drivers/dibs/dibs_loopback.c b/drivers/dibs/dibs_loopback.c
>index ec3b48cb0e87..0f2e09311152 100644
>--- a/drivers/dibs/dibs_loopback.c
>+++ b/drivers/dibs/dibs_loopback.c
>@@ -254,6 +254,11 @@ static int dibs_lo_move_data(struct dibs_dev *dibs, u64 dmb_tok,
> 		read_unlock_bh(&ldev->dmb_ht_lock);
> 		return -EINVAL;
> 	}
>+	if ((u64)offset + size > rmb_node->len) {
>+		read_unlock_bh(&ldev->dmb_ht_lock);
>+		return -EINVAL;
>+	}
>+
> 	memcpy((char *)rmb_node->cpu_addr + offset, data, size);
> 	sba_idx = rmb_node->sba_idx;
> 	read_unlock_bh(&ldev->dmb_ht_lock);
>-- 
>2.43.7

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] dibs: loopback: validate offset and size in move_data()
  2026-07-07 14:31 ` Dust Li
@ 2026-07-07 18:31   ` Andrew Lunn
  0 siblings, 0 replies; 3+ messages in thread
From: Andrew Lunn @ 2026-07-07 18:31 UTC (permalink / raw)
  To: Dust Li
  Cc: Alexandra Winter, Wenjia Zhang, Wen Gu, Paolo Abeni,
	Mahanta Jambigi, D . Wythe, Sidraya Jayagond, netdev,
	linux-kernel, stable, Federico Kirschbaum

On Tue, Jul 07, 2026 at 10:31:00PM +0800, Dust Li wrote:
> On 2026-07-07 15:43:18, Dust Li wrote:
> >The loopback move_data() performs a memcpy into the registered DMB
> >without checking whether offset + size exceeds the DMB length.  Unlike
> >real ISM hardware, which enforces memory region bounds natively, the
> >software loopback has no such protection.
> >
> >A peer-supplied out-of-bounds offset or oversized write would result in
> >an OOB write past the allocated kernel buffer.  Add an explicit bounds
> >check before the memcpy to reject such requests with -EINVAL.
> >
> >Fixes: f7a22071dbf3("net/smc: implement DMB-related operations of loopback-ism")
> >Cc: stable@vger.kernel.org
> >Reported-by: Federico Kirschbaum <federico.kirschbaum@xbow.com>
> 
> Reported-by: Baul Lee <baul.lee@xbow.com>

Could you provide a link to the report?

Thanks
	Andrew

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-07 18:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-07  7:43 [PATCH net] dibs: loopback: validate offset and size in move_data() Dust Li
2026-07-07 14:31 ` Dust Li
2026-07-07 18:31   ` Andrew Lunn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox