在 2024/1/22 13:48, Randy Dunlap 写道:
Hi,
On 1/21/24 00:34, Zhu Yanjun wrote:
在 2024/1/19 22:29, Chenyuan Yang 写道:
Dear Linux Kernel Developers for Network RDS,
We encountered "UBSAN: array-index-out-of-bounds in rds_cmsg_recv"
when testing the RDS with our generated specifications. The C
reproduce program and logs for this crash are attached.
This crash happens when RDS receives messages by using
`rds_cmsg_recv`, which reads the `j+1` index of the array
`inc->i_rx_lat_trace`
(https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L585).
The length of `inc->i_rx_lat_trace` array is 4 (defined by
`RDS_RX_MAX_TRACES`,
https://elixir.bootlin.com/linux/v6.7/source/net/rds/rds.h#L289) while
`j` is the value stored in another array `rs->rs_rx_trace`
(https://elixir.bootlin.com/linux/v6.7/source/net/rds/recv.c#L583),
which is sent from others and could be arbitrary value.
I recommend to use the latest rds to make tests. The rds in linux kernel upstream is too old. The rds in oracle linux is newer.
Why is the upstream kernel lagging behind? Is the RDS maintainer going
to submit patches to update mainline?
When I was in Oracle and worked with RDS, I have planned to upgrade
kernel rds to the latest. But after I submitted several patch series,
Oracle Developing Center of China was shutdown. I can not finish the
plan. But the UEK kernel in Oracle linux has the latest RDS.
If you want to make tests with rds, I recommend to use UEK kernel in
Oracle Linux.
Or you can install UEK kernel in RedHat. IMO, this UEK kernel can also
work in RedHat Linux.
Zhu Yanjun
Thanks.
Zhu Yanjun
This crash might be exploited to read the value out-of-bound from the
array by setting arbitrary values for the array `rs->rs_rx_trace`.
If you have any questions or require more information, please feel
free to contact us.
Best,
Chenyuan
