Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2826939pxb; Mon, 1 Nov 2021 02:38:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsUuS/9MiWacfnvXsuiAhUxfhYu/Mk8jLQ5dxPSLBaErizXpYVBxdVYjkjcu1vEDYvi4Qc X-Received: by 2002:a05:6402:4401:: with SMTP id y1mr495054eda.225.1635759509016; Mon, 01 Nov 2021 02:38:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635759508; cv=none; d=google.com; s=arc-20160816; b=oPQijcLHXIlZCSmBEAOpIeibQtscsobLgJKMnirYPYrLYuWiFftb72qUebJ1yJgkbG Oh7EUFtr3Iwq/9lgffA6jtZmbwzZd6ypBwlWMNKM67CgvGPArpH+g3rt6ruQIjm96xoA cMETQ9THxMhOJFRHhgchpfZhCF0g6miQhG7An385QSeC+facx3EMvyI5zp/sj/aXVMGl TXK+zRCfcNnxlG8Vxe8YD9o/t8rKsM7nTfIx5RgEuaTiKvQB96/Ph8DQIfqAGASMgf/2 DAtyjFvFEDuxS0+da82HrPlteFvl+KYLQcgitXn6Jt8+fuLikfy6V/dyQiH9sR7432gh iXGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=x5HwpU4R6EprjuxqssCLzxpcxAYfXSFoSG9k8DP64dA=; b=qHum8DnMHMRHGzBu2eH6NDzl0A6wK/9PpBgtatRwwOP5TWnGelyuWLvPQF4ZEftJjN 7TP6+rj9vVUqWCoYZCouU2Pnw6nm0vqZKhD4afXfPscbToRqPl9uKMfTqAzRi1Kfzq49 4rLlb/rIHi8bm72CrfqAWNO2W0550tOE3FRiKAH/t0CVKdKZOrDC8a5VUx11f15Yd1wv OsrAfFpeEZCMHCG1leOI17M7WFph6pfoknNTiHOGM0siSn2Z+DFGujM/Rqx5Cdm/AxHh LJr36C+JY33fZrsw4k5hVE3F7Ontn40SwKGZiVFo7uCmbrmuupiJL2xwtdEd5xZk8VVc WbmA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s5p4ioyS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y5si22171919edp.123.2021.11.01.02.38.04; Mon, 01 Nov 2021 02:38:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s5p4ioyS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233957AbhKAJi3 (ORCPT + 99 others); Mon, 1 Nov 2021 05:38:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:43674 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233278AbhKAJf7 (ORCPT ); Mon, 1 Nov 2021 05:35:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 58EC861184; Mon, 1 Nov 2021 09:26:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635758774; bh=+gNXVsX/M598wnh5q65Qgkc5hLjGX5+sZacANQINnBc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s5p4ioySK/o+JQ9bB8vqBNgKocJhj/at5ad8dR0vShLQJqxyqFuRGpMVQjhpPqY8n waVhyzdPTHrNogJTMdmlWnxNdML0fVeiwGzOMCcRaq9F/1LFH+y3/D9dQ+9QnbPlK/ /9l3d88mcCvAB934AU58vIi+SNjXfI2tXle1A8bM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mark Zhang , Mark Bloch , Leon Romanovsky , Jason Gunthorpe Subject: [PATCH 5.10 53/77] RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string Date: Mon, 1 Nov 2021 10:17:41 +0100 Message-Id: <20211101082522.807183069@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211101082511.254155853@linuxfoundation.org> References: <20211101082511.254155853@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mark Zhang commit 64733956ebba7cc629856f4a6ee35a52bc9c023f upstream. When copying the device name, the length of the data memcpy copied exceeds the length of the source buffer, which cause the KASAN issue below. Use strscpy_pad() instead. BUG: KASAN: slab-out-of-bounds in ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core] Read of size 64 at addr ffff88811a10f5e0 by task rping/140263 CPU: 3 PID: 140263 Comm: rping Not tainted 5.15.0-rc1+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0+0x1d/0xa0 kasan_report+0xcb/0x110 kasan_check_range+0x13d/0x180 memcpy+0x20/0x60 ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core] ib_nl_make_request+0x1c6/0x380 [ib_core] send_mad+0x20a/0x220 [ib_core] ib_sa_path_rec_get+0x3e3/0x800 [ib_core] cma_query_ib_route+0x29b/0x390 [rdma_cm] rdma_resolve_route+0x308/0x3e0 [rdma_cm] ucma_resolve_route+0xe1/0x150 [rdma_ucm] ucma_write+0x17b/0x1f0 [rdma_ucm] vfs_write+0x142/0x4d0 ksys_write+0x133/0x160 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f26499aa90f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48 RSP: 002b:00007f26495f2dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000000007d0 RCX: 00007f26499aa90f RDX: 0000000000000010 RSI: 00007f26495f2e00 RDI: 0000000000000003 RBP: 00005632a8315440 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f26495f2e00 R13: 00005632a83154e0 R14: 00005632a8315440 R15: 00005632a830a810 Allocated by task 131419: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 proc_self_get_link+0x8b/0x100 pick_link+0x4f1/0x5c0 step_into+0x2eb/0x3d0 walk_component+0xc8/0x2c0 link_path_walk+0x3b8/0x580 path_openat+0x101/0x230 do_filp_open+0x12e/0x240 do_sys_openat2+0x115/0x280 __x64_sys_openat+0xce/0x140 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink") Link: https://lore.kernel.org/r/72ede0f6dab61f7f23df9ac7a70666e07ef314b0.1635055496.git.leonro@nvidia.com Signed-off-by: Mark Zhang Reviewed-by: Mark Bloch Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/sa_query.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/infiniband/core/sa_query.c +++ b/drivers/infiniband/core/sa_query.c @@ -760,8 +760,9 @@ static void ib_nl_set_path_rec_attrs(str /* Construct the family header first */ header = skb_put(skb, NLMSG_ALIGN(sizeof(*header))); - memcpy(header->device_name, dev_name(&query->port->agent->device->dev), - LS_DEVICE_NAME_MAX); + strscpy_pad(header->device_name, + dev_name(&query->port->agent->device->dev), + LS_DEVICE_NAME_MAX); header->port_num = query->port->port_num; if ((comp_mask & IB_SA_PATH_REC_REVERSIBLE) &&