Received: by 10.213.65.68 with SMTP id h4csp211590imn;
        Fri, 30 Mar 2018 18:33:44 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/JFKem54siRdVM+osNgOzx3E8+57pVWqx0ckw9AXGQrAHqeice9M84FIBKMgLmmmCFi71p
X-Received: by 10.98.133.139 with SMTP id m11mr869368pfk.49.1522460024205;
        Fri, 30 Mar 2018 18:33:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522460024; cv=none;
        d=google.com; s=arc-20160816;
        b=QqmoEWChUKtlRWGzRRsjR+zrKInGiVvXEGa7qZJXKGCt+tYfPYprNv5eH4C4YVd0OU
         bETfGhGTguMKC4OY00SYgZsaJ5Zlmt75Z9jpJBTBJohFv2rxcoiA/fJ88dhnaPAYcjtD
         a5wOH4Cu4T1t53jjdYMZ+Kf+VrJzDsCQLR10ZglaJgcCqMJjYxQJFxIFBUoWZAZ+I+gr
         bxyeFKcCdkc/Pukn7HcUm1kVVgyQ5pgHDbjwCmqJLXKC9TgdrDssmjwV014Y9Q2vNnaD
         IHZCwBcEw5D0lvQTC9joSQRoIEpO7aoAW4Kc9NUfV1JOj2nynkNV6RPyIPHjFBaPaYIU
         tvuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=dCPZuYjFBJM+h9EAMLjjQ5Ihpvcn7kcGVvs04lsIrTI=;
        b=CASv6KKE4yyr3fVeS2uoI0LdkFGWcoDigW5f26UcHhd6PnAQEe37bua3+s85BEsaFf
         9Ns0a5o/Kk9h+PPdrEZWFnOW5uAQ/qeZCMjz+dKTgcduWA82+3wFQLaQ1XJP5Sgb8/TM
         qIGVZkZPl2US+kC0PUD5BlX3NsBW7Dm7Y4bB0AMMFpqCPvK1fKGOd4Gc/+3PHkTtLpHA
         qIodzcFdCHbYJHyiiKve4crbwvqEEnlqrGZGCqWkJR6eqU2sWW77FpXJS5s+xpjAVAWs
         0+WeC2UHIrPNMY4qXJuUS6B3fOaU6Umen+ML2lwvMIZnVnV5s1TWecbCuE1nctIpmTfP
         Vwsw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fVKi1C5t;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a23si6908405pfn.161.2018.03.30.18.33.30;
        Fri, 30 Mar 2018 18:33:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fVKi1C5t;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752829AbeCaBcY (ORCPT <rfc822;chenl.lei@gmail.com> + 99 others);
        Fri, 30 Mar 2018 21:32:24 -0400
Received: from mail-yw0-f193.google.com ([209.85.161.193]:45225 "EHLO
        mail-yw0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752649AbeCaBcW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Mar 2018 21:32:22 -0400
Received: by mail-yw0-f193.google.com with SMTP id r29so3415092ywa.12
        for <linux-kernel@vger.kernel.org>; Fri, 30 Mar 2018 18:32:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=dCPZuYjFBJM+h9EAMLjjQ5Ihpvcn7kcGVvs04lsIrTI=;
        b=fVKi1C5ttO15PbYGPXLB1FlofIMShveqtHdPTiZJDcjyUc0p4Xb9PJ5qWwaygQll0+
         sQjawME3eQI+8cCP+poSD2qXQocVZk+GlSP+sQDXfWEdxiRQo04aLQyUT3WVFrb582e7
         jLh53bsCsq8jEozo/oVb2o0tHpRbOEmA415103mVMVRQvvRDDg75PI8IRRN/eN1qkD/e
         +UrJSZkr0c7ASL/yzz2e25/lLr+RY8sMclMeHHjJzOxQLP3HGii5IUr9OFKH2fPUu4MO
         Jfyh7/42PvhGzVlnRSu6kFpdDTs68qxtLnxGPVjum7MtnDXYT7Hh3q1NAUeoQnnnkAzy
         traw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=dCPZuYjFBJM+h9EAMLjjQ5Ihpvcn7kcGVvs04lsIrTI=;
        b=NgzL3wCfN1uRRatIchkd5aP4wdiYqxhCELEcRRQ7ydYJKGm38WHS3mFnGYiFUHlb7v
         KaWu4jNjLDJEe5wEhs4Thq+BDcQm3+IXgJhYLX0EsWbzu8F3NK/N7cotPep1U3Bx0GCk
         bFDD0WQpkudtCRPbagPCefkIhzMFfFOWbE9elOTreoRhUzvMpkpMi258t77gmlpBOaC/
         V5mr22h1YccH0grJzGigIXK8ySg+mPvJGex2WlKhKlHF9Wop4lCVjVGpjw2uWunBe8DM
         ifizeyT25LbDSEDRuEiYcvxNcnz8xN2k8mbXkAo3k2jA3gkt4NTp83lvGg/SoVMpOHBd
         26Sw==
X-Gm-Message-State: AElRT7Gv5pvZ7SFkNd+cneUqppcyOWF3Bq/CFU4CQG6Ez/H8MpnbrMGH
        /2LS6OenjJAnNJkvI9GiIUdSO3Cw6ERgjjht8PeTTg==
X-Received: by 10.129.52.88 with SMTP id b85mr674748ywa.120.1522459941906;
 Fri, 30 Mar 2018 18:32:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a5b:c05:0:0:0:0:0 with HTTP; Fri, 30 Mar 2018 18:32:01 -0700 (PDT)
In-Reply-To: <20180330042455.81032-1-gthelen@google.com>
References: <20180330042455.81032-1-gthelen@google.com>
From:   Greg Thelen <gthelen@google.com>
Date:   Fri, 30 Mar 2018 18:32:01 -0700
Message-ID: <CAHH2K0aH-dJMzR=unhBWPD7=d0RQoTK35o6U4dP+FSKj-a0WgQ@mail.gmail.com>
Subject: Re: [PATCH] RDMA/ucma: reject AF_IB ip multicast requests
To:     Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@ziepe.ca>,
        Sean Hefty <sean.hefty@intel.com>
Cc:     linux-rdma@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Greg Thelen <gthelen@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 29, 2018 at 9:24 PM, Greg Thelen <gthelen@google.com> wrote:
> syzbot discovered that ucma_join_ip_multicast() mishandles AF_IB request
> addresses.  If an RDMA_USER_CM_CMD_JOIN_IP_MCAST request has
> cmd.addr.sa_family=AF_IB then ucma_join_ip_multicast() reads beyond the
> end of its cmd.addr.
>
> Reject non IP RDMA_USER_CM_CMD_JOIN_IP_MCAST requests.
> RDMA_USER_CM_CMD_JOIN_MCAST is interface for AF_IB multicast.
>
> And add a buffer length safety check.
>
> Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
> Signed-off-by: Greg Thelen <gthelen@google.com>
> ---
>  drivers/infiniband/core/ucma.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)

My patch is no longer needed.  linus/master recently picked up
84652aefb347 ("RDMA/ucma: Introduce safer rdma_addr_size() variants")
which fixes the same issue.

> diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
> index e5a1e7d81326..e410e03940ff 100644
> --- a/drivers/infiniband/core/ucma.c
> +++ b/drivers/infiniband/core/ucma.c
> @@ -1423,11 +1423,19 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file,
>         if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
>                 return -EFAULT;
>
> +       switch (cmd.addr.sin6_family) {
> +       case AF_INET:
> +       case AF_INET6:
> +               break;
> +       default:
> +               return -EINVAL;
> +       }
> +
>         join_cmd.response = cmd.response;
>         join_cmd.uid = cmd.uid;
>         join_cmd.id = cmd.id;
>         join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
> -       if (!join_cmd.addr_size)
> +       if (!join_cmd.addr_size || join_cmd.addr_size > sizeof(cmd.addr))
>                 return -EINVAL;
>
>         join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER;
> --
> 2.17.0.rc1.321.gba9d0f2565-goog
>