Dear Linux Kernel Developers for Network RDS, We encountered "UBSAN: array-index-out-of-bounds in rds_cmsg_recv" when testing the RDS with our generated specifications. The C reproduce program and logs for this crash are attached. This crash happens when RDS receives messages by using `rds_cmsg_recv`, which reads the `j+1` index of the array `inc->i_rx_lat_trace` (https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L585). The length of `inc->i_rx_lat_trace` array is 4 (defined by `RDS_RX_MAX_TRACES`, https://elixir.bootlin.com/linux/v6.7/source/net/rds/rds.h#L289) while `j` is the value stored in another array `rs->rs_rx_trace` (https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L583), which is sent from others and could be arbitrary value. This crash might be exploited to read the value out-of-bound from the array by setting arbitrary values for the array `rs->rs_rx_trace`. If you have any questions or require more information, please feel free to contact us. Best, Chenyuan
Attachment:
repro.prog
Description: Binary data
Attachment:
repro.report
Description: Binary data
Attachment:
repro.log
Description: Binary data
Attachment:
repro.cprog
Description: Binary data
