[PATCH 4.15 84/84] RDMA/ucma: Dont allow join attempts for unsupported AF family

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+2287ac532caa81900a4e@syzkaller.appspotmail.com,
	Leon Romanovsky <leonro@mellanox.com>,
	Sean Hefty <sean.hefty@intel.com>,
	Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.15 84/84] RDMA/ucma: Dont allow join attempts for unsupported AF family
Date: Fri, 23 Mar 2018 10:54:38 +0100	[thread overview]
Message-ID: <20180323095424.636689075@linuxfoundation.org> (raw)
In-Reply-To: <20180323095411.913234798@linuxfoundation.org>

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 0c81ffc60d5280991773d17e84bda605387148b1 upstream.

Users can provide garbage while calling to ucma_join_ip_multicast(),
it will indirectly cause to rdma_addr_size() return 0, making the
call to ucma_process_join(), which had the right checks, but it is
better to check the input as early as possible.

The following crash from syzkaller revealed it.

kernel BUG at lib/string.c:1052!
invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4113 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
RSP: 0018:ffff8801ca81f8f0 EFLAGS: 00010286
RAX: 0000000000000022 RBX: 1ffff10039503f23 RCX: 0000000000000000
RDX: 0000000000000022 RSI: 1ffff10039503ed3 RDI: ffffed0039503f12
RBP: ffff8801ca81f8f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801ca81f998
R13: ffff8801ca81f938 R14: ffff8801ca81fa58 R15: 000000000000fa00
FS:  0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000a12a900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000008138024 CR3: 00000001cbb58004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 memcpy include/linux/string.h:344 [inline]
 ucma_join_ip_multicast+0x36b/0x3b0 drivers/infiniband/core/ucma.c:1421
 ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1633
 __vfs_write+0xef/0x970 fs/read_write.c:480
 vfs_write+0x189/0x510 fs/read_write.c:544
 SYSC_write fs/read_write.c:589 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:581
 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f9ec99
RSP: 002b:00000000ff8172cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100
RDX: 0000000000000063 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 42 2c e3 fb eb de
55 48 89 fe 48 c7 c7 80 75 98 86 48 89 e5 e8 85 95 94 fb <0f> 0b 90 90 90 90
90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801ca81f8f0

Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
Reported-by: <syzbot+2287ac532caa81900a4e@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1348,7 +1348,7 @@ static ssize_t ucma_process_join(struct
 		return -ENOSPC;
 
 	addr = (struct sockaddr *) &cmd->addr;
-	if (!cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr)))
+	if (cmd->addr_size != rdma_addr_size(addr))
 		return -EINVAL;
 
 	if (cmd->join_flags == RDMA_MC_JOIN_FLAG_FULLMEMBER)
@@ -1416,6 +1416,9 @@ static ssize_t ucma_join_ip_multicast(st
 	join_cmd.uid = cmd.uid;
 	join_cmd.id = cmd.id;
 	join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
+	if (!join_cmd.addr_size)
+		return -EINVAL;
+
 	join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER;
 	memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size);
 
@@ -1431,6 +1434,9 @@ static ssize_t ucma_join_multicast(struc
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
+	if (!rdma_addr_size((struct sockaddr *)&cmd.addr))
+		return -EINVAL;
+
 	return ucma_process_join(file, &cmd, out_len);
 }

next prev parent reply	other threads:[~2018-03-23 10:00 UTC|newest]

Thread overview: 89+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-23  9:53 [PATCH 4.15 00/84] 4.15.13-stable review Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 01/84] scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 02/84] staging: android: ashmem: Fix possible deadlock in ashmem_ioctl Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 04/84] Bluetooth: hci_qca: Avoid setup failure on missing rampatch Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 05/84] Bluetooth: btqcomsmd: Fix skb double free corruption Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 06/84] cpufreq: longhaul: Revert transition_delay_us to 200 ms Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 07/84] media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 08/84] drm/msm: fix leak in failed get_pages Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 09/84] net: fec: add phy_reset_after_clk_enable() support Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 10/84] IB/ipoib: Warn when one port fails to initialize Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 12/84] hv_netvsc: Fix the receive buffer size limit Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 13/84] hv_netvsc: Fix the TX/RX buffer default sizes Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 14/84] tcp: allow TLP in ECN CWR Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 15/84] spi: sh-msiof: Avoid writing to registers from spi_master.setup() Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 16/84] libbpf: prefer global symbols as bpf program name source Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 17/84] rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 18/84] rtlwifi: always initialize variables given to RT_TRACE() Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 19/84] media: bt8xx: Fix err bt878_probe() Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 20/84] ath10k: handling qos at STA side based on AP WMM enable/disable Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 21/84] media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 23/84] tty: goldfish: Enable earlycon only if built-in Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 24/84] serial: 8250_dw: Disable clock on error Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 25/84] cros_ec: fix nul-termination for firmware build info Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 26/84] watchdog: Fix potential kref imbalance when opening watchdog Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 27/84] watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 28/84] platform/chrome: Use proper protocol transfer function Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 29/84] dmaengine: zynqmp_dma: Fix race condition in the probe Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 30/84] drm/tilcdc: ensure nonatomic iowrite64 is not used Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 31/84] mmc: avoid removing non-removable hosts during suspend Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 32/84] mmc: block: fix logical error to avoid memory leak Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 33/84] /dev/mem: Add bounce buffer for copy-out Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 34/84] net: phy: meson-gxl: check phy_write return value Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 35/84] sfp: fix EEPROM reading in the case of non-SFF8472 SFPs Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 36/84] sfp: fix non-detection of PHY Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 37/84] media: s5p-mfc: Fix lock contention - request_firmware() once Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 38/84] rtc: ac100: Fix multiple race conditions Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 39/84] IB/ipoib: Avoid memory leak if the SA returns a different DGID Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 40/84] RDMA/cma: Use correct size when writing netlink stats Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 41/84] IB/umem: Fix use of npages/nmap fields Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 42/84] iser-target: avoid reinitializing rdma contexts for isert commands Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 43/84] bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 44/84] PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics Greg Kroah-Hartman
2018-03-23  9:53 ` [PATCH 4.15 45/84] vgacon: Set VGA struct resource types Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 46/84] omapdrm: panel: fix compatible vendor string for td028ttec1 Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 47/84] mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 48/84] drm/omap: DMM: Check for DMM readiness after successful transaction commit Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 49/84] pty: cancel pty slave port bufs work in tty_release Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 50/84] coresight: Fix disabling of CoreSight TPIU Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 51/84] PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 52/84] PCI: endpoint: Fix find_first_zero_bit() usage Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 53/84] PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 54/84] media: davinci: fix a debug printk Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 55/84] clk: check ops pointer on clock register Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 57/84] clk: use round rate to bail out early in set_rate Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 58/84] pinctrl: Really force states during suspend/resume Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 59/84] pinctrl: rockchip: enable clock when reading pin direction register Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 60/84] iommu/vt-d: clean up pr_irq if request_threaded_irq fails Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 61/84] ip6_vti: adjust vti mtu according to mtu of lower device Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 62/84] ip_gre: fix error path when erspan_rcv failed Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 63/84] ip_gre: fix potential memory leak in erspan_rcv Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 64/84] soc: qcom: smsm: fix child-node lookup Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 65/84] scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 66/84] scsi: lpfc: Fix issues connecting with nvme initiator Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 67/84] RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 68/84] ARM: dts: aspeed-evb: Add unit name to memory node Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 69/84] nfsd4: permit layoutget of executable-only files Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 70/84] clk: at91: pmc: Wait for clocks when resuming Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 71/84] clk: Dont touch hardware when reparenting during registration Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 72/84] clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 73/84] clk: si5351: Rename internal plls to avoid name collisions Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 74/84] crypto: artpec6 - set correct iv size for gcm(aes) Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 75/84] hwrng: core - Clean up RNG list when last hwrng is unregistered Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 76/84] dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 77/84] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 78/84] IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 79/84] RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 80/84] serial: 8250_pci: Dont fail on multiport card class Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 81/84] RDMA/core: Do not use invalid destination in determining port reuse Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 82/84] clk: migrate the count of orphaned clocks at init Greg Kroah-Hartman
2018-03-23  9:54 ` [PATCH 4.15 83/84] RDMA/ucma: Fix access to non-initialized CM_ID object Greg Kroah-Hartman
2018-03-23  9:54 ` Greg Kroah-Hartman [this message]
2018-03-23 14:22 ` [PATCH 4.15 00/84] 4.15.13-stable review Naresh Kamboju
2018-03-23 15:08   ` Greg Kroah-Hartman
2018-03-23 16:40   ` Greg Kroah-Hartman
2018-03-24  7:52     ` Naresh Kamboju
2018-03-24  9:05       ` Greg Kroah-Hartman
2018-03-23 20:46 ` Shuah Khan
2018-03-24  0:12 ` Guenter Roeck
2018-03-24  7:47   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180323095424.636689075@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dledford@redhat.com \
    --cc=leonro@mellanox.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sean.hefty@intel.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+2287ac532caa81900a4e@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).