RE: [PATCH rdma-next] IB/ucm: Initialize sgid request GID attribute pointer

Parav Pandit <parav@xxxxxxxxxxxx> · Mon, 6 Aug 2018 21:25:13 +0000

> -----Original Message-----
> From: Leon Romanovsky <leon@xxxxxxxxxx>
> Sent: Sunday, August 5, 2018 11:46 PM
> To: Doug Ledford <dledford@xxxxxxxxxx>; Jason Gunthorpe
> <jgg@xxxxxxxxxxxx>
> Cc: Parav Pandit <parav@xxxxxxxxxxxx>; RDMA mailing list <linux-
> rdma@xxxxxxxxxxxxxxx>; Yossi Itigin <yosefe@xxxxxxxxxxxx>; Leon
> Romanovsky <leonro@xxxxxxxxxxxx>
> Subject: [PATCH rdma-next] IB/ucm: Initialize sgid request GID attribute pointer
> 
> From: Parav Pandit <parav@xxxxxxxxxxxx>
> 
> sgid_attr is uninitialized on the stack, initialize it to NULL.
> 
> Fixes: 398391071f25 ("IB/cm: Replace members of sa_path_rec with 'struct
> sgid_attr *'")
> Signed-off-by: Parav Pandit <parav@xxxxxxxxxxxx>
> Reviewed-by: Yossi Itigin <yosefe@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> ---
When this fix was written in middle of July, it was planned for for-rc and Fixes line was sufficient for 4.18 rc cycle.
But due to few limitations, it posted pretty late now. Leon mentioned that commit log doesn't qualify for late rc hence it is for-next.

This fix is needed for for-rc otherwise user space may be able to crash the kernel on uninitialized stack value of sgid_attr.
Do we need v1 with additional line explaining that uninitialized pointer can crash kernel?

>  drivers/infiniband/core/ucm.c | 5 +----
>  1 file changed, 1 insertion(+), 4 deletions(-)
> 
> diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c index
> 9eef96dacbd7..3e21a879d386 100644
> --- a/drivers/infiniband/core/ucm.c
> +++ b/drivers/infiniband/core/ucm.c
> @@ -1000,14 +1000,11 @@ static ssize_t ib_ucm_send_sidr_req(struct
> ib_ucm_file *file,
>  				    const char __user *inbuf,
>  				    int in_len, int out_len)
>  {
> -	struct ib_cm_sidr_req_param param;
> +	struct ib_cm_sidr_req_param param = {};
>  	struct ib_ucm_context *ctx;
>  	struct ib_ucm_sidr_req cmd;
>  	int result;
> 
> -	param.private_data = NULL;
> -	param.path = NULL;
> -
>  	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
>  		return -EFAULT;
> 
> --
> 2.14.4

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html