On Wed, Mar 28, 2018 at 11:27:22AM -0700, Roland Dreier wrote: > From: Roland Dreier <roland@xxxxxxxxxxxxxxx> > > There are several places in the ucma ABI where userspace can pass in a > sockaddr but set the address family to AF_IB. When that happens, > rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6, > and the ucma kernel code might end up copying past the end of a buffer > not sized for a struct sockaddr_ib. > > Fix this by introducing new variants > > int rdma_addr_size_in6(struct sockaddr_in6 *addr); > int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr); > > that are type-safe for the types used in the ucma ABI and return 0 if the > size computed is bigger than the size of the type passed in. We can use > these new variants to check what size userspace has passed in before > copying any addresses. > > Reported-by: syzbot+6800425d54ed3ed8135d@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Roland Dreier <roland@xxxxxxxxxxxxxxx> > --- Applied to for-rc, thanks Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
