Received: by 10.223.176.46 with SMTP id f43csp2785022wra;
        Mon, 22 Jan 2018 03:25:16 -0800 (PST)
X-Google-Smtp-Source: AH8x224AgA+ehHGQoLYCfDRwJuZYGwLuSH9AEi7RyQGkBRrnpbw5wsqEYjtw3byhTD0Ifjl4JEBh
X-Received: by 2002:a17:902:d217:: with SMTP id t23-v6mr3399263ply.303.1516620316152;
        Mon, 22 Jan 2018 03:25:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516620316; cv=none;
        d=google.com; s=arc-20160816;
        b=I6u9ZBTcw52VP5wRs1vg9ZiiWvXmxFUyF4vBpbmSqaWcTAnLSzEExrzaicheEKIRKn
         6SD0x8gCmQnQ+bG+8PSEyzhgUP1mZYUWs+K1nSk7hVgkSajUVY0AwUd3xm5nbKwXW7i3
         hIvvML0j8CdzefiR2hII12z51BgdmJkeP/lvKp+34QHR7GdubsMkRCud8L6LN9nPGtws
         gXuI7wVSchczIgqBTkfebhbYHTmioBSe4Uhq3+5IL70UMMgN78UGIrtr/LnYNaT0tLAu
         RhwXvCH8xWS+VnjdlqlxMlSmvtHdiaT+Y+dmWUX/Tz0UvfCdfuSegpIf0T4+65rVyf0Z
         ecVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-disposition:mime-version
         :message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=5OUE+yhMW98rbWeQvy18lwj0t22zWaFK9vp1g2ZbQdA=;
        b=hYqctW0bwQ0qr8xjIKePA2xo/IXhTo2hzIxGJffv5mnyK6kCQubMdjz3V2xuwmY2qu
         ZA+DTrXrjeKXsWd0NiCcXBVRcg/FvbTHAGNjMQZcO4qaK6xGQdqmg35qA9rvT6Vru7Yz
         iDzyHj9PUcPZwmf4jl2qL3TkrWKnkfS6EDWFppxPrpny1Dw4ZK8G/J5arRbDo2urQCfM
         Q5gqKtBs9ozmUEpAiDp0a4toGRowVASKbBSFxTvfi2qgfHQiJQtiKKjwC5iKZxNOyWdb
         008yudKu5Q1PlBEfD6f5TQuGE84f1PKmpMT0TKYviewGvzSr629p66MD1dgbNiQq7c20
         qqDQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=fPGPZyl4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g67si13705656pgc.555.2018.01.22.03.25.02;
        Mon, 22 Jan 2018 03:25:16 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=fPGPZyl4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751140AbeAVLYV (ORCPT <rfc822;aashilpatel1993@gmail.com>
        + 99 others); Mon, 22 Jan 2018 06:24:21 -0500
Received: from mail-pf0-f193.google.com ([209.85.192.193]:33365 "EHLO
        mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750848AbeAVLYT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Jan 2018 06:24:19 -0500
Received: by mail-pf0-f193.google.com with SMTP id t5so6855524pfi.0
        for <linux-kernel@vger.kernel.org>; Mon, 22 Jan 2018 03:24:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
        bh=5OUE+yhMW98rbWeQvy18lwj0t22zWaFK9vp1g2ZbQdA=;
        b=fPGPZyl4JGLF0x0zJlKVAOW23+URcUysbdlkN0tHa99awoZYs2PsmGU14IckA2jmVY
         uHbsQ5V/jAhuU9YCOLoaVp0q6JLoTZsLIYFvjKDtv12X2Y64P2hzA78flpiL/je3XsOb
         G/FPir1tY+AEfuobT7izBqTs3TK+DXJ7Bm8oE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition;
        bh=5OUE+yhMW98rbWeQvy18lwj0t22zWaFK9vp1g2ZbQdA=;
        b=FO9uRkQDlch7blkTlES6f+0vuXnUkWMpu88AECPq7Q6f+hV/JxB96e6Uvq6Q+LFpm3
         Qapocwdv4CTPvgifQUJOCmqZzOM3H2yT71/CTik37vVBFjkyodAf7xIfUD4UJ2xFV1xm
         xHsUV/z65Tl7KsNkooIiXWNl5tx718K6xhkTf0ZXW7glkfmufHqQkOcdkO3+QvFg7rlf
         D6eGdO9hZt66nPGigbhfQrc7tniL2gnByhGMgXrrMJXPL8lztUPWMtS1ebV4ytPgMYGX
         qwHtRRBsyK5j/AIxBFVTxewXBP6rGCwh8+uddGF/pYk81szF8Vfut4wcETGBgX8Mlk2V
         F3Lw==
X-Gm-Message-State: AKwxyteOCFKFLsiIzl6hn1DMcfY9ZSH7iwqpvciSlRjA4rFHA++WKTcP
        ul9Obr6u/vkiLmNSLk+UftRn7A==
X-Received: by 2002:a17:902:8a97:: with SMTP id p23-v6mr3353588plo.74.1516620258656;
        Mon, 22 Jan 2018 03:24:18 -0800 (PST)
Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
        by smtp.gmail.com with ESMTPSA id c184sm228953pfg.57.2018.01.22.03.24.16
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 22 Jan 2018 03:24:17 -0800 (PST)
Date:   Mon, 22 Jan 2018 03:24:15 -0800
From:   Kees Cook <keescook@chromium.org>
To:     Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc:     Honggang Li <honli@redhat.com>, linux-kernel@vger.kernel.org,
        Sowmini Varadhan <sowmini.varadhan@oracle.com>,
        Steve Beattie <sbeattie@ubuntu.com>,
        Andy Whitcroft <apw@canonical.com>,
        "David S. Miller" <davem@davemloft.net>,
        Jay Fenlason <fenlason@redhat.com>, netdev@vger.kernel.org,
        linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com
Subject: [PATCH] RDS: Fix rds-ping inducing kernel panic
Message-ID: <20180122112415.GA41074@beast>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

As described in: https://bugzilla.redhat.com/show_bug.cgi?id=822754

Attempting an RDS connection from the IP address of an IPoIB interface
to itself causes a kernel panic due to a BUG_ON() being triggered.
Making the test less strict allows rds-ping to work without crashing
the machine.

A local unprivileged user could use this flaw to crash the sytem.

I think this fix was written by Jay Fenlason <fenlason@redhat.com>,
and extracted from the RedHat kernel patches here:

https://oss.oracle.com/git/gitweb.cgi?p=redpatch.git;a=commitdiff;h=c7b6a0a1d8d636852be130fa15fa8be10d4704e8

This fix appears to have been carried by at least RedHat, Oracle, and
Ubuntu for several years.

CVE-2012-2372

Reported-by: Honggang Li <honli@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
This is what I get for researching CVE lifetimes...
---
 net/rds/ib_send.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index 8557a1cae041..5fbf635d17cb 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -506,7 +506,7 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm,
 	int flow_controlled = 0;
 	int nr_sig = 0;
 
-	BUG_ON(off % RDS_FRAG_SIZE);
+	BUG_ON(!conn->c_loopback && off % RDS_FRAG_SIZE);
 	BUG_ON(hdr_off != 0 && hdr_off != sizeof(struct rds_header));
 
 	/* Do not send cong updates to IB loopback */
-- 
2.7.4


-- 
Kees Cook
Pixel Security