From patchwork Tue Feb 12 11:23:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuval Shaia X-Patchwork-Id: 10807781 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1202413B5 for ; Tue, 12 Feb 2019 11:27:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F1BD52A6A0 for ; Tue, 12 Feb 2019 11:27:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E2FF82B560; Tue, 12 Feb 2019 11:27:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5448D2A6A0 for ; Tue, 12 Feb 2019 11:27:28 +0000 (UTC) Received: from localhost ([127.0.0.1]:37792 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gtWDn-0007Hk-KL for patchwork-qemu-devel@patchwork.kernel.org; Tue, 12 Feb 2019 06:27:27 -0500 Received: from eggs.gnu.org ([209.51.188.92]:37374) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gtWAi-0005Yq-BU for qemu-devel@nongnu.org; Tue, 12 Feb 2019 06:24:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gtWAV-00049z-Ly for qemu-devel@nongnu.org; Tue, 12 Feb 2019 06:24:08 -0500 Received: from userp2120.oracle.com ([156.151.31.85]:50098) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gtWAQ-00041g-Ue for qemu-devel@nongnu.org; Tue, 12 Feb 2019 06:23:59 -0500 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x1CBDO7J051099; Tue, 12 Feb 2019 11:23:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : subject : date : message-id; s=corp-2018-07-02; bh=/1i19zwcYZ2Y3WsfEbjjnP1StfUJPCoE/CfQclya1Vw=; b=MznYnvPAG+PnMA/+CGzHhFXkh5cnOfvSyQeBXyd0wNCjgOtcGI/QJJ9DAYRbHmcQmHAA GHP7iz8c+csB2C4ZGxNO+eTPkrVEhWvpNRZldqtqJyCdv1BlqKlses66h67+p1hPXAsn rr9FyAksAdX5Gi+Y02uyHRKJvS0D50BRQWAdNMbEU9dBLvL7hF+CcZE6G9yJbgheSfFD OXnnmWT29AG3Tft4jg2mQmo0tHOsysluj4IsPd4Q4ISE6EniPoqQjTE1uANr9LDK3wXE AemJcoMCfdEMUrKV+XBO1CtHdChZqk9cMb/uabtKK2tRiJ3vfyD3tkWMFKYB2KZ5+/kH CA== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2qhreduav3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 Feb 2019 11:23:55 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x1CBNsju017102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 Feb 2019 11:23:55 GMT Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x1CBNsbA004851; Tue, 12 Feb 2019 11:23:54 GMT Received: from localhost.localdomain (/77.138.186.148) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 12 Feb 2019 03:23:54 -0800 From: Yuval Shaia To: yuval.shaia@oracle.com, marcel.apfelbaum@gmail.com, qemu-devel@nongnu.org, sam.j.smith@oracle.com, richard.b.johnson@oracle.com Date: Tue, 12 Feb 2019 13:23:47 +0200 Message-Id: <20190212112347.1605-1-yuval.shaia@oracle.com> X-Mailer: git-send-email 2.17.2 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9164 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902120083 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-Received-From: 156.151.31.85 Subject: [Qemu-devel] [PATCH] contrib/rdmacm-mux: Fix out-of-bounds risk X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The function get_fd extract context from the received MAD message and uses it as a key to fetch the destination fd from the mapping table. A context can be dgid in case of CM request message or comm_id in case of CM SIDR response message. When MAD message with a smaller size as expected for the message type received we are hitting out-of-bounds where we are looking for the context out of message boundaries. Fix it by validating the message size. Reported-by Sam Smith Signed-off-by: Yuval Shaia Reviewed-by: Philippe Mathieu-Daudé --- contrib/rdmacm-mux/main.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/contrib/rdmacm-mux/main.c b/contrib/rdmacm-mux/main.c index ae88c77a1e..21cc804367 100644 --- a/contrib/rdmacm-mux/main.c +++ b/contrib/rdmacm-mux/main.c @@ -300,7 +300,7 @@ static void hash_tbl_remove_fd_ifid_pair(int fd) pthread_rwlock_unlock(&server.lock); } -static int get_fd(const char *mad, int *fd, __be64 *gid_ifid) +static int get_fd(const char *mad, int umad_len, int *fd, __be64 *gid_ifid) { struct umad_hdr *hdr = (struct umad_hdr *)mad; char *data = (char *)hdr + sizeof(*hdr); @@ -308,13 +308,35 @@ static int get_fd(const char *mad, int *fd, __be64 *gid_ifid) uint16_t attr_id = be16toh(hdr->attr_id); int rc = 0; + if (umad_len <= sizeof(*hdr)) { + rc = -EINVAL; + syslog(LOG_DEBUG, "Ignoring MAD packets with header only\n"); + goto out; + } + switch (attr_id) { case UMAD_CM_ATTR_REQ: + if (unlikely(umad_len < sizeof(*hdr) + CM_REQ_DGID_POS + + sizeof(*gid_ifid))) { + rc = -EINVAL; + syslog(LOG_WARNING, + "Invalid MAD packet size (%d) for attr_id 0x%x\n", umad_len, + attr_id); + goto out; + } memcpy(gid_ifid, data + CM_REQ_DGID_POS, sizeof(*gid_ifid)); rc = hash_tbl_search_fd_by_ifid(fd, gid_ifid); break; case UMAD_CM_ATTR_SIDR_REQ: + if (unlikely(umad_len < sizeof(*hdr) + CM_SIDR_REQ_DGID_POS + + sizeof(*gid_ifid))) { + rc = -EINVAL; + syslog(LOG_WARNING, + "Invalid MAD packet size (%d) for attr_id 0x%x\n", umad_len, + attr_id); + goto out; + } memcpy(gid_ifid, data + CM_SIDR_REQ_DGID_POS, sizeof(*gid_ifid)); rc = hash_tbl_search_fd_by_ifid(fd, gid_ifid); break; @@ -331,6 +353,13 @@ static int get_fd(const char *mad, int *fd, __be64 *gid_ifid) data += sizeof(comm_id); /* Fall through */ case UMAD_CM_ATTR_SIDR_REP: + if (unlikely(umad_len < sizeof(*hdr) + sizeof(comm_id))) { + rc = -EINVAL; + syslog(LOG_WARNING, + "Invalid MAD packet size (%d) for attr_id 0x%x\n", umad_len, + attr_id); + goto out; + } memcpy(&comm_id, data, sizeof(comm_id)); if (comm_id) { rc = hash_tbl_search_fd_by_comm_id(comm_id, fd, gid_ifid); @@ -344,6 +373,7 @@ static int get_fd(const char *mad, int *fd, __be64 *gid_ifid) syslog(LOG_DEBUG, "mad_to_vm: %d 0x%x 0x%x\n", *fd, attr_id, comm_id); +out: return rc; } @@ -372,7 +402,8 @@ static void *umad_recv_thread_func(void *args) } while (rc && server.run); if (server.run) { - rc = get_fd(msg.umad.mad, &fd, &msg.hdr.sgid.global.interface_id); + rc = get_fd(msg.umad.mad, msg.umad_len, &fd, + &msg.hdr.sgid.global.interface_id); if (rc) { continue; }