All of lore.kernel.org
 help / color / mirror / Atom feed
* Coverity: irdma_reg_user_mr(): TAINTED_SCALAR
@ 2021-06-08 18:00 coverity-bot
  2021-06-15 15:59 ` Saleem, Shiraz
  0 siblings, 1 reply; 2+ messages in thread
From: coverity-bot @ 2021-06-08 18:00 UTC (permalink / raw)
  To: Mustafa Ismail
  Cc: Jason Gunthorpe, Shiraz Saleem, Gustavo A. R. Silva, linux-next

Hello!

This is an experimental semi-automated report about issues detected by
Coverity from a scan of next-20210608 as part of the linux-next scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan

You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:

  Wed Jun 2 19:55:18 2021 -0300
    b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")

(Editor's note: I believe the issues below are basically summarized as
"the contents of req came from userspace and did not get validated before
being used for things like array indexing, etc")

Coverity reported the following:

*** CID 1505160:    (TAINTED_SCALAR)
/drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
2806     		list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
2807     		iwpbl->on_list = true;
2808     		spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
2809     		break;
2810     	case IRDMA_MEMREG_TYPE_CQ:
2811     		use_pbles = (req.cq_pages > 1);
vvv     CID 1505160:    (TAINTED_SCALAR)
vvv     Passing tainted variable "req.rq_pages" to a tainted sink.
2812     		err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2813     		if (err)
2814     			goto error;
2815
2816     		ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2817     						     ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
2793     	iwmr->type = req.reg_type;
2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size);
2795
2796     	switch (req.reg_type) {
2797     	case IRDMA_MEMREG_TYPE_QP:
2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
vvv     CID 1505160:    (TAINTED_SCALAR)
vvv     Passing tainted variable "req.cq_pages" to a tainted sink.
2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2800     		if (err)
2801     			goto error;
2802
2803     		ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2804     						     ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
2793     	iwmr->type = req.reg_type;
2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size);
2795
2796     	switch (req.reg_type) {
2797     	case IRDMA_MEMREG_TYPE_QP:
2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
vvv     CID 1505160:    (TAINTED_SCALAR)
vvv     Passing tainted variable "req.sq_pages" to a tainted sink.
2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2800     		if (err)
2801     			goto error;
2802
2803     		ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2804     						     ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
2793     	iwmr->type = req.reg_type;
2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size);
2795
2796     	switch (req.reg_type) {
2797     	case IRDMA_MEMREG_TYPE_QP:
2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
vvv     CID 1505160:    (TAINTED_SCALAR)
vvv     Passing tainted variable "req.rq_pages" to a tainted sink.
2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2800     		if (err)
2801     			goto error;
2802
2803     		ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2804     						     ibucontext);
/drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
2806     		list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
2807     		iwpbl->on_list = true;
2808     		spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
2809     		break;
2810     	case IRDMA_MEMREG_TYPE_CQ:
2811     		use_pbles = (req.cq_pages > 1);
vvv     CID 1505160:    (TAINTED_SCALAR)
vvv     Passing tainted variable "req.sq_pages" to a tainted sink.
2812     		err = irdma_handle_q_mem(iwdev, &req, iwpbl, use_pbles);
2813     		if (err)
2814     			goto error;
2815
2816     		ucontext = rdma_udata_to_drv_context(udata, struct irdma_ucontext,
2817     						     ibucontext);

If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR")
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")

Thanks for your attention!

-- 
Coverity-bot

^ permalink raw reply	[flat|nested] 2+ messages in thread

* RE: Coverity: irdma_reg_user_mr(): TAINTED_SCALAR
  2021-06-08 18:00 Coverity: irdma_reg_user_mr(): TAINTED_SCALAR coverity-bot
@ 2021-06-15 15:59 ` Saleem, Shiraz
  0 siblings, 0 replies; 2+ messages in thread
From: Saleem, Shiraz @ 2021-06-15 15:59 UTC (permalink / raw)
  To: coverity-bot, Ismail, Mustafa, Nikolova, Tatyana E
  Cc: Jason Gunthorpe, Gustavo A. R. Silva, linux-next

> Subject: Coverity: irdma_reg_user_mr(): TAINTED_SCALAR
> 
> Hello!
> 
> This is an experimental semi-automated report about issues detected by Coverity
> from a scan of next-20210608 as part of the linux-next scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
> 
> You're getting this email because you were associated with the identified lines of
> code (noted below) that were touched by commits:
> 
>   Wed Jun 2 19:55:18 2021 -0300
>     b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
> 
> (Editor's note: I believe the issues below are basically summarized as "the contents
> of req came from userspace and did not get validated before being used for
> things like array indexing, etc")
> 
> Coverity reported the following:
> 
> *** CID 1505160:    (TAINTED_SCALAR)
> /drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
> 2806     		list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
> 2807     		iwpbl->on_list = true;
> 2808     		spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock,
> flags);
> 2809     		break;
> 2810     	case IRDMA_MEMREG_TYPE_CQ:
> 2811     		use_pbles = (req.cq_pages > 1);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.rq_pages" to a tainted sink.
> 2812     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2813     		if (err)
> 2814     			goto error;
> 2815
> 2816     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2817     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
> 2793     	iwmr->type = req.reg_type;
> 2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr-
> >page_size);
> 2795
> 2796     	switch (req.reg_type) {
> 2797     	case IRDMA_MEMREG_TYPE_QP:
> 2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.cq_pages" to a tainted sink.
> 2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2800     		if (err)
> 2801     			goto error;
> 2802
> 2803     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2804     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
> 2793     	iwmr->type = req.reg_type;
> 2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr-
> >page_size);
> 2795
> 2796     	switch (req.reg_type) {
> 2797     	case IRDMA_MEMREG_TYPE_QP:
> 2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.sq_pages" to a tainted sink.
> 2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2800     		if (err)
> 2801     			goto error;
> 2802
> 2803     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2804     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2799 in irdma_reg_user_mr()
> 2793     	iwmr->type = req.reg_type;
> 2794     	iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr-
> >page_size);
> 2795
> 2796     	switch (req.reg_type) {
> 2797     	case IRDMA_MEMREG_TYPE_QP:
> 2798     		use_pbles = ((req.sq_pages + req.rq_pages) > 2);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.rq_pages" to a tainted sink.
> 2799     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2800     		if (err)
> 2801     			goto error;
> 2802
> 2803     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2804     						     ibucontext);
> /drivers/infiniband/hw/irdma/verbs.c: 2812 in irdma_reg_user_mr()
> 2806     		list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
> 2807     		iwpbl->on_list = true;
> 2808     		spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock,
> flags);
> 2809     		break;
> 2810     	case IRDMA_MEMREG_TYPE_CQ:
> 2811     		use_pbles = (req.cq_pages > 1);
> vvv     CID 1505160:    (TAINTED_SCALAR)
> vvv     Passing tainted variable "req.sq_pages" to a tainted sink.
> 2812     		err = irdma_handle_q_mem(iwdev, &req, iwpbl,
> use_pbles);
> 2813     		if (err)
> 2814     			goto error;
> 2815
> 2816     		ucontext = rdma_udata_to_drv_context(udata, struct
> irdma_ucontext,
> 2817     						     ibucontext);
> 
> If this is a false positive, please let us know so we can mark it as such, or teach
> the Coverity rules to be smarter. If not, please make sure fixes get into linux-next.
> :) For patches fixing this, please include these lines (but double-check the "Fixes"
> first):
> 
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1505160 ("TAINTED_SCALAR")
> Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
> 
> Thanks for your attention!
> 

This appears to be a bug. We will send a fix.

Shiraz

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-06-15 16:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-08 18:00 Coverity: irdma_reg_user_mr(): TAINTED_SCALAR coverity-bot
2021-06-15 15:59 ` Saleem, Shiraz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.