All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2] RDMA/ucma: RDMA/ucma: fix a kernel-infoleak in ucma_init_qp_attr()
@ 2022-02-04 10:00 Dan Carpenter
  2022-02-04 23:55 ` Jason Gunthorpe
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2022-02-04 10:00 UTC (permalink / raw)
  To: Jason Gunthorpe, Haimin Zhang
  Cc: Wenpeng Liang, Leon Romanovsky, Weihang Li, YueHaibing,
	Xiaofei Tan, Dasaratharaman Chandramouli, Doug Ledford,
	Sean Hefty, Don Hiatt, Ira Weiny, linux-rdma, security, Greg KH

From: Haimin Zhang <tcs.kernel@gmail.com>

The ib_copy_ah_attr_to_user() function only initializes "resp.grh" if
the "resp.is_global" flag is set.  Unfortunately, this data is copied to
the user and copying uninitialized stack data to the user is an
information leak.  Zero out the whole "resp" struct to be safe.

As a clean up, zero out both "resp" and "qp_attr" in the initializers.

[ This patch has been highly edited from the original that Haimin Zhang
  sent, so if there are any complaints please blame Dan Carpenter and
  Leon Romanovsky ]

Fixes: 4ba66093bdc6 ("IB/core: Check for global flag when using ah_attr")
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Haimin Zhang <tcs.kernel@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Style changes

 drivers/infiniband/core/ucma.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 9d6ac9dff39a..4b90ee14b015 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1214,9 +1214,9 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
 				 int in_len, int out_len)
 {
 	struct rdma_ucm_init_qp_attr cmd;
-	struct ib_uverbs_qp_attr resp;
+	struct ib_uverbs_qp_attr resp = {};
 	struct ucma_context *ctx;
-	struct ib_qp_attr qp_attr;
+	struct ib_qp_attr qp_attr = {};
 	int ret;
 
 	if (out_len < sizeof(resp))
@@ -1232,8 +1232,6 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
-	resp.qp_attr_mask = 0;
-	memset(&qp_attr, 0, sizeof qp_attr);
 	qp_attr.qp_state = cmd.qp_state;
 	mutex_lock(&ctx->mutex);
 	ret = rdma_init_qp_attr(ctx->cm_id, &qp_attr, &resp.qp_attr_mask);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] RDMA/ucma: RDMA/ucma: fix a kernel-infoleak in ucma_init_qp_attr()
  2022-02-04 10:00 [PATCH v2] RDMA/ucma: RDMA/ucma: fix a kernel-infoleak in ucma_init_qp_attr() Dan Carpenter
@ 2022-02-04 23:55 ` Jason Gunthorpe
  2022-02-05  9:11   ` Dan Carpenter
  0 siblings, 1 reply; 3+ messages in thread
From: Jason Gunthorpe @ 2022-02-04 23:55 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Haimin Zhang, Wenpeng Liang, Leon Romanovsky, Weihang Li,
	YueHaibing, Xiaofei Tan, Dasaratharaman Chandramouli,
	Doug Ledford, Sean Hefty, Don Hiatt, Ira Weiny, linux-rdma,
	security, Greg KH

On Fri, Feb 04, 2022 at 01:00:36PM +0300, Dan Carpenter wrote:
> From: Haimin Zhang <tcs.kernel@gmail.com>
> 
> The ib_copy_ah_attr_to_user() function only initializes "resp.grh" if
> the "resp.is_global" flag is set.  Unfortunately, this data is copied to
> the user and copying uninitialized stack data to the user is an
> information leak.  Zero out the whole "resp" struct to be safe.

Hasn't this already been fixed, and more comprehensively too?

commit b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd
Author: Leon Romanovsky <leon@kernel.org>
Date:   Tue Jan 4 14:21:52 2022 +0200

    RDMA/core: Don't infoleak GRH fields
    
    If dst->is_global field is not set, the GRH fields are not cleared
    and the following infoleak is reported.

Jason

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] RDMA/ucma: RDMA/ucma: fix a kernel-infoleak in ucma_init_qp_attr()
  2022-02-04 23:55 ` Jason Gunthorpe
@ 2022-02-05  9:11   ` Dan Carpenter
  0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2022-02-05  9:11 UTC (permalink / raw)
  To: Jason Gunthorpe
  Cc: Haimin Zhang, Wenpeng Liang, Leon Romanovsky, Weihang Li,
	YueHaibing, Xiaofei Tan, Dasaratharaman Chandramouli,
	Doug Ledford, Sean Hefty, Don Hiatt, Ira Weiny, linux-rdma,
	security, Greg KH

On Fri, Feb 04, 2022 at 07:55:59PM -0400, Jason Gunthorpe wrote:
> On Fri, Feb 04, 2022 at 01:00:36PM +0300, Dan Carpenter wrote:
> > From: Haimin Zhang <tcs.kernel@gmail.com>
> > 
> > The ib_copy_ah_attr_to_user() function only initializes "resp.grh" if
> > the "resp.is_global" flag is set.  Unfortunately, this data is copied to
> > the user and copying uninitialized stack data to the user is an
> > information leak.  Zero out the whole "resp" struct to be safe.
> 
> Hasn't this already been fixed, and more comprehensively too?
> 
> commit b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd
> Author: Leon Romanovsky <leon@kernel.org>
> Date:   Tue Jan 4 14:21:52 2022 +0200
> 
>     RDMA/core: Don't infoleak GRH fields
>     
>     If dst->is_global field is not set, the GRH fields are not cleared
>     and the following infoleak is reported.
> 
> Jason

That does fix the bug.  It's unfortunate that Haimin Zhang doesn't get
the reported by tag on this.  That was my screw up.  Sorry.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-02-05  9:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-04 10:00 [PATCH v2] RDMA/ucma: RDMA/ucma: fix a kernel-infoleak in ucma_init_qp_attr() Dan Carpenter
2022-02-04 23:55 ` Jason Gunthorpe
2022-02-05  9:11   ` Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.