Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752198AbdLVHDx (ORCPT ); Fri, 22 Dec 2017 02:03:53 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:36616 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751104AbdLVHDt (ORCPT ); Fri, 22 Dec 2017 02:03:49 -0500 Subject: Re: [PATCH net] RDS: Check cmsg_len before dereferencing CMSG_DATA To: Avinash Repaka , "David S. Miller" , netdev@vger.kernel.org, linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com, linux-kernel@vger.kernel.org References: <1513916224-9445-1-git-send-email-avinash.repaka@oracle.com> From: "santosh.shilimkar@oracle.com" Organization: Oracle Corporation Message-ID: Date: Thu, 21 Dec 2017 22:58:35 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <1513916224-9445-1-git-send-email-avinash.repaka@oracle.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8752 signatures=668651 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1712220101 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2154 Lines: 47 On 12/21/17 8:17 PM, Avinash Repaka wrote: > RDS currently doesn't check if the length of the control message is > large enough to hold the required data, before dereferencing the control > message data. This results in following crash: > > BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013 > [inline] > BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90 > net/rds/send.c:1066 > Read of size 8 at addr ffff8801c928fb70 by task syzkaller455006/3157 > > CPU: 0 PID: 3157 Comm: syzkaller455006 Not tainted 4.15.0-rc3+ #161 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > print_address_description+0x73/0x250 mm/kasan/report.c:252 > kasan_report_error mm/kasan/report.c:351 [inline] > kasan_report+0x25b/0x340 mm/kasan/report.c:409 > __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 > rds_rdma_bytes net/rds/send.c:1013 [inline] > rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066 > sock_sendmsg_nosec net/socket.c:628 [inline] > sock_sendmsg+0xca/0x110 net/socket.c:638 > ___sys_sendmsg+0x320/0x8b0 net/socket.c:2018 > __sys_sendmmsg+0x1ee/0x620 net/socket.c:2108 > SYSC_sendmmsg net/socket.c:2139 [inline] > SyS_sendmmsg+0x35/0x60 net/socket.c:2134 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x43fe49 > RSP: 002b:00007fffbe244ad8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 > RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe49 > RDX: 0000000000000001 RSI: 000000002020c000 RDI: 0000000000000003 > RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004017b0 > R13: 0000000000401840 R14: 0000000000000000 R15: 0000000000000000 > > To fix this, we verify that the cmsg_len is large enough to hold the > data to be read, before proceeding further. > > Reported-by: syzbot > Signed-off-by: Avinash Repaka > --- Thanks !! Acked-by: Santosh Shilimkar