All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jason Gunthorpe <jgg@ziepe.ca>, Haimin Zhang <tcs.kernel@gmail.com>
Cc: Wenpeng Liang <liangwenpeng@huawei.com>,
	Leon Romanovsky <leon@kernel.org>,
	Weihang Li <liweihang@huawei.com>,
	YueHaibing <yuehaibing@huawei.com>,
	Xiaofei Tan <tanxiaofei@huawei.com>,
	Dasaratharaman Chandramouli 
	<dasaratharaman.chandramouli@intel.com>,
	Doug Ledford <dledford@redhat.com>,
	Sean Hefty <sean.hefty@intel.com>,
	Don Hiatt <don.hiatt@intel.com>, Ira Weiny <ira.weiny@intel.com>,
	linux-rdma@vger.kernel.org, security@kernel.org,
	Greg KH <gregkh@linuxfoundation.org>
Subject: [PATCH v2] RDMA/ucma: RDMA/ucma: fix a kernel-infoleak in ucma_init_qp_attr()
Date: Fri, 4 Feb 2022 13:00:36 +0300	[thread overview]
Message-ID: <20220204100036.GA12348@kili> (raw)

From: Haimin Zhang <tcs.kernel@gmail.com>

The ib_copy_ah_attr_to_user() function only initializes "resp.grh" if
the "resp.is_global" flag is set.  Unfortunately, this data is copied to
the user and copying uninitialized stack data to the user is an
information leak.  Zero out the whole "resp" struct to be safe.

As a clean up, zero out both "resp" and "qp_attr" in the initializers.

[ This patch has been highly edited from the original that Haimin Zhang
  sent, so if there are any complaints please blame Dan Carpenter and
  Leon Romanovsky ]

Fixes: 4ba66093bdc6 ("IB/core: Check for global flag when using ah_attr")
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Haimin Zhang <tcs.kernel@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Style changes

 drivers/infiniband/core/ucma.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 9d6ac9dff39a..4b90ee14b015 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1214,9 +1214,9 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
 				 int in_len, int out_len)
 {
 	struct rdma_ucm_init_qp_attr cmd;
-	struct ib_uverbs_qp_attr resp;
+	struct ib_uverbs_qp_attr resp = {};
 	struct ucma_context *ctx;
-	struct ib_qp_attr qp_attr;
+	struct ib_qp_attr qp_attr = {};
 	int ret;
 
 	if (out_len < sizeof(resp))
@@ -1232,8 +1232,6 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	resp.qp_attr_mask = 0;
-	memset(&qp_attr, 0, sizeof qp_attr);
 	qp_attr.qp_state = cmd.qp_state;
 	mutex_lock(&ctx->mutex);
 	ret = rdma_init_qp_attr(ctx->cm_id, &qp_attr, &resp.qp_attr_mask);
-- 
2.20.1


             reply	other threads:[~2022-02-04 10:01 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-04 10:00 Dan Carpenter [this message]
2022-02-04 23:55 ` [PATCH v2] RDMA/ucma: RDMA/ucma: fix a kernel-infoleak in ucma_init_qp_attr() Jason Gunthorpe
2022-02-05  9:11   ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220204100036.GA12348@kili \
    --to=dan.carpenter@oracle.com \
    --cc=dasaratharaman.chandramouli@intel.com \
    --cc=dledford@redhat.com \
    --cc=don.hiatt@intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=ira.weiny@intel.com \
    --cc=jgg@ziepe.ca \
    --cc=leon@kernel.org \
    --cc=liangwenpeng@huawei.com \
    --cc=linux-rdma@vger.kernel.org \
    --cc=liweihang@huawei.com \
    --cc=sean.hefty@intel.com \
    --cc=security@kernel.org \
    --cc=tanxiaofei@huawei.com \
    --cc=tcs.kernel@gmail.com \
    --cc=yuehaibing@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.