On Wed, Mar 28, 2018 at 12:35:13AM -0700, Roland Dreier wrote: > From: Roland Dreier <roland@xxxxxxxxxxxxxxx> > > If userspace passes a sockaddr with sa_family == AF_IB to the ucma join IP > multicast command, the kernel will memcpy() past the end of its buffer. Fix > this by checking the addr_size we get back against the sockaddr buffer sizes. > > Reported-and-tested-by: syzbot+6800425d54ed3ed8135d@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Roland Dreier <roland@xxxxxxxxxxxxxxx> > --- > drivers/infiniband/core/ucma.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c > index e5a1e7d81326..565efa8f43a5 100644 > --- a/drivers/infiniband/core/ucma.c > +++ b/drivers/infiniband/core/ucma.c > @@ -1427,7 +1427,9 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file, > join_cmd.uid = cmd.uid; > join_cmd.id = cmd.id; > join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr); > - if (!join_cmd.addr_size) > + if (!join_cmd.addr_size || > + join_cmd.addr_size > sizeof(join_cmd.addr) || > + join_cmd.addr_size > sizeof(cmd.addr)) The "join_cmd.addr_size > sizeof(cmd.addr)" is not needed, because we copy only join_cmd.addr_size bytes and ensure that it has size equal to sizeof(cmd.addr). Thanks, Reviewed-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
Attachment:
signature.asc
Description: PGP signature
