From: "Saleem, Shiraz" <shiraz.saleem@intel.com>
To: Jason Gunthorpe <jgg@ziepe.ca>, Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Ismail, Mustafa" <mustafa.ismail@intel.com>,
Leon Romanovsky <leon@kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
"kernel-janitors@vger.kernel.org"
<kernel-janitors@vger.kernel.org>
Subject: RE: [PATCH] RDMA/irdma: Initialize struct members in irdma_reg_user_mr()
Date: Tue, 24 May 2022 16:53:46 +0000 [thread overview]
Message-ID: <MWHPR11MB0029F37D40D9D4A993F8F549E9D79@MWHPR11MB0029.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20220524153600.GB2661880@ziepe.ca>
> Subject: Re: [PATCH] RDMA/irdma: Initialize struct members in
> irdma_reg_user_mr()
>
> On Tue, May 24, 2022 at 06:23:53PM +0300, Dan Carpenter wrote:
> > The ib_copy_from_udata() function does not always initialize the whole
> > struct. It depends on the value of udata->inlen. So initialize it to
> > zero at the start.
> >
> > Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb
> > APIs")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> What I know is
> > that RDMA takes fast paths very seriously.
> >
> > This is probably a fast path so you may want to implement a different
> > solution. If you want to do something else then, just feel free to do
> > that and give me a Reported-by tag.
>
> This isn't fast path..
>
> But the bug here is not validating inlen properly and should be fixed there, not by
> zero-initing and allowing userspace to pass in an invalid inlen..
>
Hi Jason -
So something like this is appropriate?
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index 52f3e88..aecfedc 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -2735,6 +2735,9 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
if (len > iwdev->rf->sc_dev.hw_attrs.max_mr_size)
return ERR_PTR(-EINVAL);
+ if (udata->inlen < sizeof(req))
+ return ERR_PTR(-EINVAL);
+
region = ib_umem_get(pd->device, start, len, access);
if (IS_ERR(region)) {
next prev parent reply other threads:[~2022-05-24 16:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-24 15:23 [PATCH] RDMA/irdma: Initialize struct members in irdma_reg_user_mr() Dan Carpenter
2022-05-24 15:35 ` Saleem, Shiraz
2022-05-24 15:36 ` Jason Gunthorpe
2022-05-24 16:53 ` Saleem, Shiraz [this message]
2022-05-25 17:54 ` Jason Gunthorpe
2022-05-25 23:41 ` Saleem, Shiraz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MWHPR11MB0029F37D40D9D4A993F8F549E9D79@MWHPR11MB0029.namprd11.prod.outlook.com \
--to=shiraz.saleem@intel.com \
--cc=dan.carpenter@oracle.com \
--cc=jgg@ziepe.ca \
--cc=kernel-janitors@vger.kernel.org \
--cc=leon@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mustafa.ismail@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.