| Message ID | 20200811191457.6309-1-rpearson@hpe.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [1/1] Address an issue with hardened user copy | expand |
On Tue, Aug 11, 2020 at 02:14:57PM -0500, Bob Pearson wrote: > by copying to user space from the stack instead of slab cache. > This affects the rdma_rxe driver causing a warning once per boot. > The alternative is to ifigure out how to whitelist the xxx_qp struct ifigure -> figure > but this seems simple and clean. We have multiple cases like this in the code, what is the error exactly? And what is "hardened user copy"? > > --- Signed-off-by is missing. > drivers/infiniband/core/uverbs_std_types_qp.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/infiniband/core/uverbs_std_types_qp.c b/drivers/infiniband/core/uverbs_std_types_qp.c > index 3bf8dcdfe7eb..2f8b14003b95 100644 > --- a/drivers/infiniband/core/uverbs_std_types_qp.c > +++ b/drivers/infiniband/core/uverbs_std_types_qp.c > @@ -98,6 +98,7 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)( > struct ib_device *device; > u64 user_handle; > int ret; > + int qp_num; > > ret = uverbs_copy_from_or_zero(&cap, attrs, > UVERBS_ATTR_CREATE_QP_CAP); > @@ -293,9 +294,10 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)( > if (ret) > return ret; > > + /* copy from stack to avoid whitelisting issues */ > + qp_num = qp->qp_num; > ret = uverbs_copy_to(attrs, UVERBS_ATTR_CREATE_QP_RESP_QP_NUM, > - &qp->qp_num, > - sizeof(qp->qp_num)); > + &qp_num, sizeof(qp_num)); > > return ret; > err_put: > -- > 2.25.1 >
On 8/12/20 12:52 AM, Leon Romanovsky wrote: > On Tue, Aug 11, 2020 at 02:14:57PM -0500, Bob Pearson wrote: >> by copying to user space from the stack instead of slab cache. >> This affects the rdma_rxe driver causing a warning once per boot. >> The alternative is to ifigure out how to whitelist the xxx_qp struct > > ifigure -> figure > >> but this seems simple and clean. > > > We have multiple cases like this in the code, what is the error exactly? > And what is "hardened user copy"? read https://lwn.net/Articles/727322/
On Wed, Aug 12, 2020 at 08:52:55AM +0300, Leon Romanovsky wrote: > On Tue, Aug 11, 2020 at 02:14:57PM -0500, Bob Pearson wrote: > > by copying to user space from the stack instead of slab cache. > > This affects the rdma_rxe driver causing a warning once per boot. > > The alternative is to ifigure out how to whitelist the xxx_qp struct > > ifigure -> figure > > > but this seems simple and clean. > > > We have multiple cases like this in the code, what is the error exactly? > And what is "hardened user copy"? > > > > > Signed-off-by is missing. Can't take any patches without signed-off-by Jason
diff --git a/drivers/infiniband/core/uverbs_std_types_qp.c b/drivers/infiniband/core/uverbs_std_types_qp.c index 3bf8dcdfe7eb..2f8b14003b95 100644 --- a/drivers/infiniband/core/uverbs_std_types_qp.c +++ b/drivers/infiniband/core/uverbs_std_types_qp.c @@ -98,6 +98,7 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)( struct ib_device *device; u64 user_handle; int ret; + int qp_num; ret = uverbs_copy_from_or_zero(&cap, attrs, UVERBS_ATTR_CREATE_QP_CAP); @@ -293,9 +294,10 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)( if (ret) return ret; + /* copy from stack to avoid whitelisting issues */ + qp_num = qp->qp_num; ret = uverbs_copy_to(attrs, UVERBS_ATTR_CREATE_QP_RESP_QP_NUM, - &qp->qp_num, - sizeof(qp->qp_num)); + &qp_num, sizeof(qp_num)); return ret; err_put: