Received: by 10.213.65.68 with SMTP id h4csp2220711imn;
        Thu, 29 Mar 2018 21:26:52 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/o7ymovJmig8MFP+l4t1cRzYSUIYtlWOHdb/SLDtcPrYVqwkkQkC5PR+5omiOx1a705SsO
X-Received: by 2002:a17:902:a5c2:: with SMTP id t2-v6mr5053053plq.160.1522384012279;
        Thu, 29 Mar 2018 21:26:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522384012; cv=none;
        d=google.com; s=arc-20160816;
        b=GlHrMRnlHPpu8/Y0NEt8gC3CjyQbMCWEVEn5Mi4edWYGr/P+iuzYoUKV1hlNtIK+Db
         N38/dlU5ApWywLuoxN/hvkiSLfF/VkEx64bzAApaVGPmbmgMmUC1ctdjrEEiLF/Nk8OF
         dFrOVlVW4rz32/Pe69QmpZ3C0fDrqlUSAQVICsCpfHuKhAxkn7JbnR+aHPegQUNfBgDq
         /TmxMeU/Q8LGWElfyJHUK22u+ojEhOVaykvgNFZDR8kSwoSamMQFCjeFDF14X+NqO41J
         BRTx92k93ShHmhJq8pveQDYa62CCoM1hKRC4ROeNMx8aceSyke+h3hTIql3PkI2iUhAk
         wp0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=R5DtMlqZHrWko5bhCK2DDd4cprsiSJx3Ws7FzagPq0s=;
        b=IqfN3QJtJPZrdb4eD2Lq6P4QFs4lNYHdbE8DxiedhV0zxq80gi6Bh1tWAYXBcFjZl2
         /f7RXwBkbA+q4CdhhFl9O1W1ZfSggrVQikrXkhWr79C58OpWGl3zLELOL1uBhFz+T7pa
         L5ONUE3r5Fcn/eiFpj1yedMwrb1DYOgZJrzZjTZxZbWrdH3884Xw4KRvp9Brd+A9ehgW
         Ibr5WeWeI/G2wey+2w7bUU7Xk2/rdhGXrfm7BtiveQdyUbN3XulT+zIH6RCvSgRBrFRm
         CecVLzfE4G87ED4vrB8w5Ua4c3zNSz66HAESqJ4Dq12yGS6QZLnaTaNrPqyP9f4EdN8d
         nY5w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bXLGbFQG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 22si5095299pgg.390.2018.03.29.21.26.36;
        Thu, 29 Mar 2018 21:26:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=bXLGbFQG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751180AbeC3EZ0 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Fri, 30 Mar 2018 00:25:26 -0400
Received: from mail-pf0-f193.google.com ([209.85.192.193]:39131 "EHLO
        mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750752AbeC3EZY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Mar 2018 00:25:24 -0400
Received: by mail-pf0-f193.google.com with SMTP id c78so4688205pfj.6
        for <linux-kernel@vger.kernel.org>; Thu, 29 Mar 2018 21:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=R5DtMlqZHrWko5bhCK2DDd4cprsiSJx3Ws7FzagPq0s=;
        b=bXLGbFQGV6QxsWQ+0LQzHvw0OP4/sTTDzkYAgoyTbu/FXsZy4+6oj4eLzQWSuYs73l
         g4RaRy3xOZtX3tzHGxD8oNfDccjGh+2634LQgdLl8AOHDmvtNR51xf1UUq/pzsji9i6K
         ERBC4mvYIY3twGxci19cjcxDAf9Ul6WMLio8Y/MTc2tMGXb+LLh0f1e0hvKuvBbK567W
         6ydBZwW3J4B4mHeVAnE9LQl0WEFc4qPCwKSH/rX4nU8ZjS0o6Y6Z7aFo+yuhCTtpNzXs
         TIiY8lzxkNXFjVp76y9ZvfCQBrcPrAPFXYjOOE5R4QLXvLeVPs4h6kh6SeFkg0fScVVQ
         K5nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=R5DtMlqZHrWko5bhCK2DDd4cprsiSJx3Ws7FzagPq0s=;
        b=FkM0BpEDXi3khI9S24pAbt0FfnWAIXgAHn6nvApaBoEhp/P3MwO0w2/KzfwQN4N+fC
         rSUNyHZIirlmjEtqnI41KT5CCU240U+HFVfPSff2GC+eUKxSorEihZfX5c25sGRJDaYW
         xsngkNFwhCIMIvBmF8e1KCnAni6oNrFAdLaGhRWsfygRRhb7sWupUcqEpn8rvp1X2jZ1
         Bdcfb2YK1NQkvkhrqLZyf4oxVrtiEvPYwkK2WVX7cC5V5j4be1+6uuUEgPjfUNUYmQej
         8c/ChmDezdS2cIXK1U1koujAAlPnnPo513S+knNgveCYX82yYJs08PsUPBRfl2HvVsPF
         uKtA==
X-Gm-Message-State: AElRT7GtTnPPV7r+LX9TO5Vy9Sk7G1DexcQQnBFO5UWPCVZct9U0ESgH
        s/090Hut1xBCprcKu6XEYAfhTw==
X-Received: by 2002:a17:902:102a:: with SMTP id b39-v6mr6581112pla.112.1522383923167;
        Thu, 29 Mar 2018 21:25:23 -0700 (PDT)
Received: from gthelen.svl.corp.google.com ([2620:15c:2cb:201:7fd0:97b4:747b:9bf1])
        by smtp.gmail.com with ESMTPSA id r8sm12898691pgn.19.2018.03.29.21.25.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 29 Mar 2018 21:25:22 -0700 (PDT)
From:   Greg Thelen <gthelen@google.com>
To:     Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@ziepe.ca>,
        Sean Hefty <sean.hefty@intel.com>
Cc:     linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
        Greg Thelen <gthelen@google.com>
Subject: [PATCH] RDMA/ucma: reject AF_IB ip multicast requests
Date:   Thu, 29 Mar 2018 21:24:55 -0700
Message-Id: <20180330042455.81032-1-gthelen@google.com>
X-Mailer: git-send-email 2.17.0.rc1.321.gba9d0f2565-goog
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

syzbot discovered that ucma_join_ip_multicast() mishandles AF_IB request
addresses.  If an RDMA_USER_CM_CMD_JOIN_IP_MCAST request has
cmd.addr.sa_family=AF_IB then ucma_join_ip_multicast() reads beyond the
end of its cmd.addr.

Reject non IP RDMA_USER_CM_CMD_JOIN_IP_MCAST requests.
RDMA_USER_CM_CMD_JOIN_MCAST is interface for AF_IB multicast.

And add a buffer length safety check.

Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
Signed-off-by: Greg Thelen <gthelen@google.com>
---
 drivers/infiniband/core/ucma.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index e5a1e7d81326..e410e03940ff 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1423,11 +1423,19 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file,
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
+	switch (cmd.addr.sin6_family) {
+	case AF_INET:
+	case AF_INET6:
+		break;
+	default:
+		return -EINVAL;
+	}
+
 	join_cmd.response = cmd.response;
 	join_cmd.uid = cmd.uid;
 	join_cmd.id = cmd.id;
 	join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
-	if (!join_cmd.addr_size)
+	if (!join_cmd.addr_size || join_cmd.addr_size > sizeof(cmd.addr))
 		return -EINVAL;
 
 	join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER;
-- 
2.17.0.rc1.321.gba9d0f2565-goog