Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/infiniband/core
History
Mark Zhang 64733956eb RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string 
When copying the device name, the length of the data memcpy copied exceeds
the length of the source buffer, which cause the KASAN issue below.  Use
strscpy_pad() instead.

 BUG: KASAN: slab-out-of-bounds in ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core]
 Read of size 64 at addr ffff88811a10f5e0 by task rping/140263
 CPU: 3 PID: 140263 Comm: rping Not tainted 5.15.0-rc1+ #1
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 Call Trace:
  dump_stack_lvl+0x57/0x7d
  print_address_description.constprop.0+0x1d/0xa0
  kasan_report+0xcb/0x110
  kasan_check_range+0x13d/0x180
  memcpy+0x20/0x60
  ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core]
  ib_nl_make_request+0x1c6/0x380 [ib_core]
  send_mad+0x20a/0x220 [ib_core]
  ib_sa_path_rec_get+0x3e3/0x800 [ib_core]
  cma_query_ib_route+0x29b/0x390 [rdma_cm]
  rdma_resolve_route+0x308/0x3e0 [rdma_cm]
  ucma_resolve_route+0xe1/0x150 [rdma_ucm]
  ucma_write+0x17b/0x1f0 [rdma_ucm]
  vfs_write+0x142/0x4d0
  ksys_write+0x133/0x160
  do_syscall_64+0x43/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f26499aa90f
 Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48
 RSP: 002b:00007f26495f2dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
 RAX: ffffffffffffffda RBX: 00000000000007d0 RCX: 00007f26499aa90f
 RDX: 0000000000000010 RSI: 00007f26495f2e00 RDI: 0000000000000003
 RBP: 00005632a8315440 R08: 0000000000000000 R09: 0000000000000001
 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f26495f2e00
 R13: 00005632a83154e0 R14: 00005632a8315440 R15: 00005632a830a810

 Allocated by task 131419:
  kasan_save_stack+0x1b/0x40
  __kasan_kmalloc+0x7c/0x90
  proc_self_get_link+0x8b/0x100
  pick_link+0x4f1/0x5c0
  step_into+0x2eb/0x3d0
  walk_component+0xc8/0x2c0
  link_path_walk+0x3b8/0x580
  path_openat+0x101/0x230
  do_filp_open+0x12e/0x240
  do_sys_openat2+0x115/0x280
  __x64_sys_openat+0xce/0x140
  do_syscall_64+0x43/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 2ca546b92a ("IB/sa: Route SA pathrecord query through netlink")
Link: https://lore.kernel.org/r/72ede0f6dab61f7f23df9ac7a70666e07ef314b0.1635055496.git.leonro@nvidia.com
Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Reviewed-by: Mark Bloch <mbloch@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
 		2021-10-25 11:51:51 -03:00
..
Makefile
addr.c
agent.c
agent.h
cache.c IB/core: Shifting initialization of device->cache_lock 2021-07-16 10:57:28 -03:00
cgroup.c
cm.c
cm_msgs.h
cm_trace.c
cm_trace.h
cma.c RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests 2021-09-23 17:03:09 -03:00
cma_configfs.c
cma_priv.h RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests 2021-09-23 17:03:09 -03:00
cma_trace.c
cma_trace.h
core_priv.h RDMA/core: Create clean QP creations interface for uverbs 2021-08-03 15:26:19 -03:00
counters.c
cq.c
device.c RDMA: Globally allocate and release QP memory 2021-08-03 13:44:27 -03:00
ib_core_uverbs.c
iwcm.c RDMA/iwcm: Release resources if iw_cm module initialization fails 2021-07-30 10:01:40 -03:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Rely on the rdma_nl_[un]register() to ensure that requests are valid 2021-07-30 10:01:41 -03:00
iwpm_util.c RDMA/iwpm: Rely on the rdma_nl_[un]register() to ensure that requests are valid 2021-07-30 10:01:41 -03:00
iwpm_util.h RDMA/iwpm: Rely on the rdma_nl_[un]register() to ensure that requests are valid 2021-07-30 10:01:41 -03:00
lag.c
mad.c
mad_priv.h
mad_rmpp.c
mad_rmpp.h
mr_pool.c
multicast.c
netlink.c
nldev.c
opa_smi.h
packer.c
rdma_core.c
rdma_core.h
restrack.c RDMA: Globally allocate and release QP memory 2021-08-03 13:44:27 -03:00
restrack.h
roce_gid_mgmt.c
rw.c
sa.h
sa_query.c RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string 2021-10-25 11:51:51 -03:00
security.c
smi.c
smi.h
sysfs.c
trace.c
ucma.c
ud_header.c
umem.c RDMA: Use the sg_table directly and remove the opencoded version from umem 2021-08-24 19:52:40 -03:00
umem_dmabuf.c RDMA: Use the sg_table directly and remove the opencoded version from umem 2021-08-24 19:52:40 -03:00
umem_odp.c IB/core: Remove deprecated current_seq comments 2021-08-23 13:43:08 -03:00
user_mad.c
uverbs.h
uverbs_cmd.c RDMA/core: Create clean QP creations interface for uverbs 2021-08-03 15:26:19 -03:00
uverbs_ioctl.c
uverbs_main.c
uverbs_marshall.c
uverbs_std_types.c
uverbs_std_types_async_fd.c
uverbs_std_types_counters.c
uverbs_std_types_cq.c
uverbs_std_types_device.c
uverbs_std_types_dm.c
uverbs_std_types_flow_action.c
uverbs_std_types_mr.c RDMA/uverbs: Track dmabuf memory regions 2021-08-19 09:59:53 -03:00
uverbs_std_types_qp.c RDMA/core: Create clean QP creations interface for uverbs 2021-08-03 15:26:19 -03:00
uverbs_std_types_srq.c
uverbs_std_types_wq.c
uverbs_uapi.c
verbs.c RDMA/core: Create clean QP creations interface for uverbs 2021-08-03 15:26:19 -03:00