On Mon, Aug 06, 2018 at 09:25:13PM +0000, Parav Pandit wrote:
>
>
> > -----Original Message-----
> > From: Leon Romanovsky <leon@xxxxxxxxxx>
> > Sent: Sunday, August 5, 2018 11:46 PM
> > To: Doug Ledford <dledford@xxxxxxxxxx>; Jason Gunthorpe
> > <jgg@xxxxxxxxxxxx>
> > Cc: Parav Pandit <parav@xxxxxxxxxxxx>; RDMA mailing list <linux-
> > rdma@xxxxxxxxxxxxxxx>; Yossi Itigin <yosefe@xxxxxxxxxxxx>; Leon
> > Romanovsky <leonro@xxxxxxxxxxxx>
> > Subject: [PATCH rdma-next] IB/ucm: Initialize sgid request GID attribute pointer
> >
> > From: Parav Pandit <parav@xxxxxxxxxxxx>
> >
> > sgid_attr is uninitialized on the stack, initialize it to NULL.
> >
> > Fixes: 398391071f25 ("IB/cm: Replace members of sa_path_rec with 'struct
> > sgid_attr *'")
> > Signed-off-by: Parav Pandit <parav@xxxxxxxxxxxx>
> > Reviewed-by: Yossi Itigin <yosefe@xxxxxxxxxxxx>
> > Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> > ---
> When this fix was written in middle of July, it was planned for for-rc and Fixes line was sufficient for 4.18 rc cycle.
> But due to few limitations, it posted pretty late now. Leon mentioned that commit log doesn't qualify for late rc hence it is for-next.
>
> This fix is needed for for-rc otherwise user space may be able to crash the kernel on uninitialized stack value of sgid_attr.
> Do we need v1 with additional line explaining that uninitialized pointer can crash kernel?
Parav,
You are fixing commit 398391071f25, which is in -next branch and doesn't
exist in rdma-rc.
Thanks
>
>
> > drivers/infiniband/core/ucm.c | 5 +----
> > 1 file changed, 1 insertion(+), 4 deletions(-)
> >
> > diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c index
> > 9eef96dacbd7..3e21a879d386 100644
> > --- a/drivers/infiniband/core/ucm.c
> > +++ b/drivers/infiniband/core/ucm.c
> > @@ -1000,14 +1000,11 @@ static ssize_t ib_ucm_send_sidr_req(struct
> > ib_ucm_file *file,
> > const char __user *inbuf,
> > int in_len, int out_len)
> > {
> > - struct ib_cm_sidr_req_param param;
> > + struct ib_cm_sidr_req_param param = {};
> > struct ib_ucm_context *ctx;
> > struct ib_ucm_sidr_req cmd;
> > int result;
> >
> > - param.private_data = NULL;
> > - param.path = NULL;
> > -
> > if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
> > return -EFAULT;
> >
> > --
> > 2.14.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
signature.asc
Description: PGP signature
