On Fri, 2017-07-07 at 10:28 +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> The patch below does not apply to the 3.18-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git
> commit
> id to <stable@xxxxxxxxxxxxxxx>.
We don't really need this patch on kernels prior to 4.4 (and I sent a
fix patch for kernels between 4.4 and 4.9, which are the other two
versions you support that it failed on). Really, the function that is
causing the kernel crash was new to v4.12, and so even though users
could send bad data to kernels prior to v4.12, the specific BUGs
referenced in this fix would not occur (but other bad things might).
For kernels prior to 4.4, we actually need significant changes to this
patch for it to even work (the two functions in question do not have
immediate access to ib_dev in kernels prior to 4.4, so checking the
port_num against the valid ports on the ib_dev becomes a much harder
task). Since the function causing the BUG doesn't exist on these
earlier kernels (and there are other redundant checks for valid port
numbers in earlier kernels, but those checks weren't sufficient in the
v4.12 kernels and later because we used the port_num before the checks
were run, thereby causing this bug), we can ignore this on earlier
kernels. Thanks.
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> From 5ecce4c9b17bed4dc9cb58bfb10447307569b77b Mon Sep 17 00:00:00
> 2001
> From: Boris Pismenny <borisp@xxxxxxxxxxxx>
> Date: Tue, 27 Jun 2017 15:09:13 +0300
> Subject: [PATCH] RDMA/uverbs: Check port number supplied by user
> verbs cmds
>
> The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
> the port number from user input as part of its attributes and assumes
> it is valid. Down on the stack, that parameter is used to access
> kernel
> data structures. If the value is invalid, the kernel accesses memory
> it should not. To prevent this, verify the port number before using
> it.
>
> BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
> Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
>
> BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
> Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
>
> Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
> Fixes: 189aba99e70 ("IB/uverbs: Extend modify_qp and support packet
> pacing")
> Cc: <stable@xxxxxxxxxxxxxxx> # v2.6.14+
> Cc: <security@xxxxxxxxxx>
> Cc: Yevgeny Kliteynik <kliteyn@xxxxxxxxxxxx>
> Cc: Tziporet Koren <tziporet@xxxxxxxxxxxx>
> Cc: Alex Polak <alexpo@xxxxxxxxxxxx>
> Signed-off-by: Boris Pismenny <borisp@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
> Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
>
> diff --git a/drivers/infiniband/core/uverbs_cmd.c
> b/drivers/infiniband/core/uverbs_cmd.c
> index 70b7fb156414..e63f2a13c5e1 100644
> --- a/drivers/infiniband/core/uverbs_cmd.c
> +++ b/drivers/infiniband/core/uverbs_cmd.c
> @@ -1931,6 +1931,11 @@ static int modify_qp(struct ib_uverbs_file
> *file,
> goto out;
> }
>
> + if (!rdma_is_port_valid(qp->device, cmd->base.port_num)) {
> + ret = -EINVAL;
> + goto release_qp;
> + }
> +
> attr->qp_state = cmd->base.qp_state;
> attr->cur_qp_state = cmd->base.cur_qp_state;
> attr->path_mtu = cmd->base.path_mtu;
> @@ -2541,6 +2546,9 @@ ssize_t ib_uverbs_create_ah(struct
> ib_uverbs_file *file,
> if (copy_from_user(&cmd, buf, sizeof cmd))
> return -EFAULT;
>
> + if (!rdma_is_port_valid(ib_dev, cmd.attr.port_num))
> + return -EINVAL;
> +
> INIT_UDATA(&udata, buf + sizeof(cmd),
> (unsigned long)cmd.response + sizeof(resp),
> in_len - sizeof(cmd), out_len - sizeof(resp));
>
--
Doug Ledford <dledford@xxxxxxxxxx>
GPG KeyID: B826A3330E572FDD
Key fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD