Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp647281imu; Fri, 11 Jan 2019 06:45:37 -0800 (PST) X-Google-Smtp-Source: ALg8bN6y9Snyg8RJBcq4l/HCz8uw4S/e5plvQ/UNWJ6t683K4zqj+Xg64daUUvVblF6nU3jOdoNG X-Received: by 2002:a17:902:8ec8:: with SMTP id x8mr15044431plo.210.1547217937858; Fri, 11 Jan 2019 06:45:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547217937; cv=none; d=google.com; s=arc-20160816; b=UCz6PAuWdrjm0x8lpQ/LAKgaPgWRr1rewdVSeatMSD3TamttR/LeS7KOw72E9eCLfN onyttaPP8e4xrA5lEFTn27qMJo9dZnRJyQyH3dYalzrCv7XPQucCdtrS03oqhJPDINTZ 26kAE9mVyQstvo9zc6Cxdh/PRUlAPTzGydbVWzpcn4KWMoJtm0dyVvL8ZfAXEiOAuWC+ PVBTDNN189fbi4F4vxECQ0knHAQM5geNnb2rkDVhO+ysVwYrXoLyDgeBhy4WN6mAKf9o vCkQgav8ckm/cG70SNTegQEQbJ5WZbG1s7bKgfzu8x1LF4gXpGwB9OmyhYn7Djtd3X+o ZFCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QRsPbA1p46E8A6GbcOhXJwYmXO/4mL7ouUZehjUfl10=; b=BhHX/o3bua+hiLLnNWbnhve+VNyw7lmKfySsQFNiL4njtO5+B58R1siglTQHrTHgfF 3kKdTgnnMlajeqhEDNnDxA8uxRDLw97GdglMihfN1pDeRnaSPf1B2whRAHAfy5hqGAN6 eqIDuSVug++TA3c58w7EK/X7lwSyFnZ4uD5PNQSLuHwprc/BQIAxa4X2uGzr7ftrYkgN OgRreA2RCaSbzzCujF7aHRlj9YhnGCq9je7y3xr7Wwh3k3Oq+7HHTdn2QKKOlXQcoAh+ WYkha7FO00a1jJq+AWXr6kA4yX2djIvh4hzSiLFmsS6lZMjuqWbMgeyZGhVQPz5T8Ds/ PCmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iRoqUGef; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p18si2501574plo.223.2019.01.11.06.45.22; Fri, 11 Jan 2019 06:45:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iRoqUGef; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404392AbfAKOnb (ORCPT + 99 others); Fri, 11 Jan 2019 09:43:31 -0500 Received: from mail.kernel.org ([198.145.29.99]:36350 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404367AbfAKOn2 (ORCPT ); Fri, 11 Jan 2019 09:43:28 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 724B420872; Fri, 11 Jan 2019 14:43:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1547217807; bh=R/lRsQL0JvBa4VCX+CAfFFwAtlp3ux5rbadx48Pzi+M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iRoqUGefLRWXoidZNGJSN0kMTNXmsGq0WxbokhPrF85gbTnbxDspXraTXIl6dXQPF h3q3wOu/9Jq60yk8blS29iEywniVBAZYC1XWoWMPEQ/n2LfeorQucxOfiMoxcJa9JC 78zXn/VbEzou/tmbSfNNNT9nXG1SD6ziXkPSh+0Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steve Wise , Jason Gunthorpe Subject: [PATCH 4.20 49/65] RDMA/iwcm: Dont copy past the end of dev_name() string Date: Fri, 11 Jan 2019 15:15:35 +0100 Message-Id: <20190111131102.958577073@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190111131055.331350141@linuxfoundation.org> References: <20190111131055.331350141@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Steve Wise commit d53ec8af56d5163f8a42e961ece3aeb5c560e79d upstream. We now use dev_name(&ib_device->dev) instead of ib_device->name in iwpm messages. The name field in struct device is a const char *, where as ib_device->name is a char array of size IB_DEVICE_NAME_MAX, and it is pre-initialized to zeros. Since iw_cm_map() was using memcpy() to copy in the device name, and copying IWPM_DEVNAME_SIZE bytes, it ends up copying past the end of the source device name string and copying random bytes. This results in iwpmd failing the REGISTER_PID request from iwcm. Thus port mapping is broken. Validate the device and if names, and use strncpy() to inialize the entire message field. Fixes: 896de0090a85 ("RDMA/core: Use dev_name instead of ibdev->name") Cc: stable@vger.kernel.org Signed-off-by: Steve Wise Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/iwcm.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/infiniband/core/iwcm.c +++ b/drivers/infiniband/core/iwcm.c @@ -502,17 +502,21 @@ static void iw_cm_check_wildcard(struct */ static int iw_cm_map(struct iw_cm_id *cm_id, bool active) { + const char *devname = dev_name(&cm_id->device->dev); + const char *ifname = cm_id->device->iwcm->ifname; struct iwpm_dev_data pm_reg_msg; struct iwpm_sa_data pm_msg; int status; + if (strlen(devname) >= sizeof(pm_reg_msg.dev_name) || + strlen(ifname) >= sizeof(pm_reg_msg.if_name)) + return -EINVAL; + cm_id->m_local_addr = cm_id->local_addr; cm_id->m_remote_addr = cm_id->remote_addr; - memcpy(pm_reg_msg.dev_name, dev_name(&cm_id->device->dev), - sizeof(pm_reg_msg.dev_name)); - memcpy(pm_reg_msg.if_name, cm_id->device->iwcm->ifname, - sizeof(pm_reg_msg.if_name)); + strncpy(pm_reg_msg.dev_name, devname, sizeof(pm_reg_msg.dev_name)); + strncpy(pm_reg_msg.if_name, ifname, sizeof(pm_reg_msg.if_name)); if (iwpm_register_pid(&pm_reg_msg, RDMA_NL_IWCM) || !iwpm_valid_pid())