[Linux-kernel-mentees] [PATCH] infiniband: Fix uninit-value in ucma_connect()
5 views
Skip to first unread message
Peilin Ye
Jul 25, 2020, 3:50:41 PM7/25/20
to Doug Ledford, Jason Gunthorpe, Peilin Ye, Leon Romanovsky, Greg Kroah-Hartman, syzkall...@googlegroups.com, linux-kern...@lists.linuxfoundation.org, linux...@vger.kernel.org, linux-...@vger.kernel.org
ucma_connect() is reading uninitialized memory when `in_len` is less than
`offsetof(struct rdma_ucm_connect, ece)`. Fix it.
Reported-and-tested-by: syzbot+744652...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2c85ca2b1aedb22ed1029383751e36cee3f7d047
Signed-off-by: Peilin Ye <yepei...@gmail.com>
---
drivers/infiniband/core/ucma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 5b87eee8ccc8..a591fdccdce0 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1079,7 +1079,7 @@ static ssize_t ucma_connect(struct ucma_file *file, const char __user *inbuf,
{
struct rdma_conn_param conn_param;
struct rdma_ucm_ece ece = {};
- struct rdma_ucm_connect cmd;
+ struct rdma_ucm_connect cmd = {};
struct ucma_context *ctx;
size_t in_size;
int ret;
--
2.25.1
`offsetof(struct rdma_ucm_connect, ece)`. Fix it.
Reported-and-tested-by: syzbot+744652...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=2c85ca2b1aedb22ed1029383751e36cee3f7d047
Signed-off-by: Peilin Ye <yepei...@gmail.com>
---
drivers/infiniband/core/ucma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 5b87eee8ccc8..a591fdccdce0 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1079,7 +1079,7 @@ static ssize_t ucma_connect(struct ucma_file *file, const char __user *inbuf,
{
struct rdma_conn_param conn_param;
struct rdma_ucm_ece ece = {};
- struct rdma_ucm_connect cmd;
+ struct rdma_ucm_connect cmd = {};
struct ucma_context *ctx;
size_t in_size;
int ret;
--
2.25.1
Peilin Ye
Jul 25, 2020, 6:04:59 PM7/25/20
to Doug Ledford, Jason Gunthorpe, Peilin Ye, Leon Romanovsky, Greg Kroah-Hartman, syzkall...@googlegroups.com, linux-kern...@lists.linuxfoundation.org, linux...@vger.kernel.org, linux-...@vger.kernel.org
ucma_accept() is reading uninitialized memory when `in_len` is
less than `offsetof(struct rdma_ucm_accept, ece)`. Fix it.
Signed-off-by: Peilin Ye <yepei...@gmail.com>
---
drivers/infiniband/core/ucma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index a591fdccdce0..842d297903c0 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1134,7 +1134,7 @@ static ssize_t ucma_listen(struct ucma_file *file, const char __user *inbuf,
static ssize_t ucma_accept(struct ucma_file *file, const char __user *inbuf,
int in_len, int out_len)
{
- struct rdma_ucm_accept cmd;
+ struct rdma_ucm_accept cmd = {};
--
2.25.1
less than `offsetof(struct rdma_ucm_accept, ece)`. Fix it.
Signed-off-by: Peilin Ye <yepei...@gmail.com>
---
drivers/infiniband/core/ucma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1134,7 +1134,7 @@ static ssize_t ucma_listen(struct ucma_file *file, const char __user *inbuf,
static ssize_t ucma_accept(struct ucma_file *file, const char __user *inbuf,
int in_len, int out_len)
{
- struct rdma_ucm_accept cmd;
+ struct rdma_ucm_accept cmd = {};
struct rdma_conn_param conn_param;
struct rdma_ucm_ece ece = {};
struct ucma_context *ctx;
struct rdma_ucm_ece ece = {};
--
2.25.1
Peilin Ye
Jul 25, 2020, 9:44:23 PM7/25/20
to Reported-by:, syzkall...@googlegroups.com
#syz test: https://github.com/google/kmsan.git master
syzbot
Jul 25, 2020, 9:44:23 PM7/25/20
to Peilin Ye, syzkall...@googlegroups.com, yepei...@gmail.com
I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
syzbot
Jul 25, 2020, 9:44:24 PM7/25/20
to Peilin Ye, syzkall...@googlegroups.com, yepei...@gmail.com
I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
>
> --
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
>
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20200726014419.GA626086%40PWN.
syzbot
Jul 25, 2020, 10:17:06 PM7/25/20
to gli...@google.com, syzkall...@googlegroups.com, yepei...@gmail.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+086ab5...@syzkaller.appspotmail.com
Tested on:
commit: 93f54a72 instrumented.h: fix KMSAN support
git tree: https://github.com/google/kmsan.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=c534a9fad6323722
dashboard link: https://syzkaller.appspot.com/bug?extid=086ab5ca9eafd2379aa6
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
patch: https://syzkaller.appspot.com/x/patch.diff?x=150bd68c900000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+086ab5...@syzkaller.appspotmail.com
Tested on:
commit: 93f54a72 instrumented.h: fix KMSAN support
git tree: https://github.com/google/kmsan.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=c534a9fad6323722
dashboard link: https://syzkaller.appspot.com/bug?extid=086ab5ca9eafd2379aa6
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
patch: https://syzkaller.appspot.com/x/patch.diff?x=150bd68c900000
Note: testing is done by a robot and is best-effort only.
Peilin Ye
Jul 25, 2020, 10:28:43 PM7/25/20
to Doug Ledford, Jason Gunthorpe, Peilin Ye, Leon Romanovsky, Greg Kroah-Hartman, syzkall...@googlegroups.com, linux-kern...@lists.linuxfoundation.org, linux...@vger.kernel.org, linux-...@vger.kernel.org
ucma_accept() is reading uninitialized memory when `in_len` is
less than `offsetof(struct rdma_ucm_accept, ece)`. Fix it.
Reported-and-tested-by: syzbot+086ab5...@syzkaller.appspotmail.com
less than `offsetof(struct rdma_ucm_accept, ece)`. Fix it.
Link: https://syzkaller.appspot.com/bug?id=0bce3bb68cb383fce92f78444e3ef77c764b60ad
Change in v2:
- syzbot has reported this bug as "KMSAN: uninit-value in xa_load".
Add "Reported-and-tested-by:" and "Link:" tags for it.
Jason Gunthorpe
Jul 27, 2020, 10:58:59 AM7/27/20
to Peilin Ye, Doug Ledford, Leon Romanovsky, Greg Kroah-Hartman, syzkall...@googlegroups.com, linux-kern...@lists.linuxfoundation.org, linux...@vger.kernel.org, linux-...@vger.kernel.org
On Sat, Jul 25, 2020 at 10:27:16PM -0400, Peilin Ye wrote:
> ucma_accept() is reading uninitialized memory when `in_len` is
> less than `offsetof(struct rdma_ucm_accept, ece)`. Fix it.
>
> Reported-and-tested-by: syzbot+086ab5...@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=0bce3bb68cb383fce92f78444e3ef77c764b60ad
> Signed-off-by: Peilin Ye <yepei...@gmail.com>
> ---
> Change in v2:
> - syzbot has reported this bug as "KMSAN: uninit-value in xa_load".
> Add "Reported-and-tested-by:" and "Link:" tags for it.
>
> drivers/infiniband/core/ucma.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Already fixed:
> ucma_accept() is reading uninitialized memory when `in_len` is
> less than `offsetof(struct rdma_ucm_accept, ece)`. Fix it.
>
> Reported-and-tested-by: syzbot+086ab5...@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=0bce3bb68cb383fce92f78444e3ef77c764b60ad
> Signed-off-by: Peilin Ye <yepei...@gmail.com>
> ---
> Change in v2:
> - syzbot has reported this bug as "KMSAN: uninit-value in xa_load".
> Add "Reported-and-tested-by:" and "Link:" tags for it.
>
> drivers/infiniband/core/ucma.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
https://lore.kernel.org/r/0-v1-d5b86dab17dc+28...@nvidia.com
Jason
Reply all
Reply to author
Forward
0 new messages