infiniband vulnerability report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>On Thu, Apr 12, 2018 at 10:26:49AM +0200, Greg KH wrote:
>> On Thu, Apr 12, 2018 at 01:54:47AM +0000, 连一汉 wrote:
>> > 
>> > Hi, I’m not sure if you receive this email, so I send it again.
> > 
> > > I’m Lian yihan, a security researcher of Qihoo 360 GearTeam.
> > > 
> > > I found a vulnerability of Linux driver infiniband of linux-4.14.33.
> > 
> > Is this also in 4.16.1?  Lots of IB stuff has been fixed recently.
> > 
> > And IB developers, any ideas here?  Any chance you all can start
> > properly marking patches for stable kernels?  :)

> I didn't get the start of this thread..

> Is this the thing Leon said was fixed by:

> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/infiniband/core?id=e8980d67d6017c8eee8f9c35f782c4bd68e004c9

>?

No, this patch has been used in linux-4.16.1, but I can still reproduce the POC in it.

And this bug happens in rdma_listen(), "cma_bind_listen()" uses "bind_list" of "id_priv" before it has a real value. There is nothing to do with "cm_id".

The following is my debug info:

In thread 1, the bind_list is NULL !!!:
	Thread 1 hit Breakpoint 1, rdma_listen (id=0xffff8800965be038, backlog=1024) at drivers/infiniband/core/cma.c:3261
	3261                    ret = cma_bind_listen(id_priv);
	1: ((struct rdma_id_private *)id)->bind_list = (struct rdma_bind_list *) 0x0 <irq_stack_union>
	2: ((struct rdma_id_private *)id)->state = RDMA_CM_LISTEN
	3: ((struct rdma_id_private *)id)->reuseaddr = 1 '\001'
	4: &((struct rdma_id_private *)id)->bind_list = (struct rdma_bind_list **) 0xffff8800965be1f8

The cause is that rdma_listen used id_priv before bind_list assignment in cma_bind_port() within Thread 2:
	
    (gdb) ni
	[Switching to Thread 2]

	Thread 2 hit Hardware watchpoint 4: *(int *)0xffff8800965be1f8

	Old value = 0
	New value = 2107082216
    0xffffffff830b7fd8 in cma_bind_port (bind_list=0xffff88007d9785e8, id_priv=0xffff8800965be038) at drivers/infiniband/core/cma.c:2975
	2975            id_priv->bind_list = bind_list;
	(gdb) bt
	#0  0xffffffff830b7fd8 in cma_bind_port (bind_list=0xffff88007d9785e8, id_priv=0xffff8800965be038) at drivers/infiniband/core/cma.c:2975
	#1  0xffffffff830c2077 in cma_alloc_port (ps=<optimized out>, id_priv=0xffff8800965be038, snum=<optimized out>) at drivers/infiniband/core/cma.c:2996
	#2  0xffffffff830d956e in cma_alloc_any_port (id_priv=<optimized out>, ps=<optimized out>) at drivers/infiniband/core/cma.c:3061
	#3  cma_get_port (id_priv=<optimized out>) at drivers/infiniband/core/cma.c:3214
	#4  rdma_bind_addr (id=0xffff8800965be038, addr=<optimized out>) at drivers/infiniband/core/cma.c:3334
	#5  0xffffffff830da5c4 in cma_bind_addr (dst_addr=<optimized out>, src_addr=0xffff880067107b68, id=<optimized out>) at drivers/infiniband/core/cma.c:2858
	#6  rdma_resolve_addr (id=0xffff8800965be038, src_addr=0xffff880067107b68, dst_addr=0xffff880067107b84, timeout_ms=<optimized out>)
		at drivers/infiniband/core/cma.c:2870
	#7  0xffffffff83138f99 in ucma_resolve_ip (file=0xffff880096ac2968, inbuf=<optimized out>, in_len=<optimized out>, out_len=<optimized out>)
		at drivers/infiniband/core/ucma.c:693
	#8  0xffffffff831369e9 in ucma_write (filp=<optimized out>, buf=0x200003c0 "\003", len=72, pos=<optimized out>) at drivers/infiniband/core/ucma.c:1659

I hope this conveys my thoughts with clarity :)
	
> Jason

Regards
Lian
��.n��������+%������w��{.n�����{���fk��ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f
[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux