review.tizen.org Git - platform/kernel/linux-amlogic.git/commit

author	Roland Dreier <roland@purestorage.com>
	Wed, 28 Mar 2018 18:27:22 +0000 (11:27 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 8 Apr 2018 10:12:49 +0000 (12:12 +0200)
commit	d0253af4a15b81f7f9d033917c3fd64b65df0154
tree	bda3d2a0e54907b407a801624f548cc4af50effd	tree \| snapshot
parent	5eaa1b1e089708c1afab79bca3950fe93e7c3b35	commit \| diff

RDMA/ucma: Introduce safer rdma_addr_size() variants

commit 84652aefb347297aa08e91e283adf7b18f77c2d5 upstream.

There are several places in the ucma ABI where userspace can pass in a
sockaddr but set the address family to AF_IB.  When that happens,
rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6,
and the ucma kernel code might end up copying past the end of a buffer
not sized for a struct sockaddr_ib.

Fix this by introducing new variants

    int rdma_addr_size_in6(struct sockaddr_in6 *addr);
    int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);

that are type-safe for the types used in the ucma ABI and return 0 if the
size computed is bigger than the size of the type passed in.  We can use
these new variants to check what size userspace has passed in before
copying any addresses.

Reported-by: <syzbot+6800425d54ed3ed8135d@syzkaller.appspotmail.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/infiniband/core/addr.c		diff \| blob \| history
drivers/infiniband/core/ucma.c		diff \| blob \| history
include/rdma/ib_addr.h		diff \| blob \| history