From patchwork Tue Feb 21 18:58:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Wise X-Patchwork-Id: 9585319 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4C599600CA for ; Tue, 21 Feb 2017 19:00:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 63B5928610 for ; Tue, 21 Feb 2017 19:00:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5870428617; Tue, 21 Feb 2017 19:00:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CC9F628610 for ; Tue, 21 Feb 2017 19:00:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753617AbdBUTAI (ORCPT ); Tue, 21 Feb 2017 14:00:08 -0500 Received: from smtp.opengridcomputing.com ([72.48.136.20]:40351 "EHLO smtp.opengridcomputing.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753014AbdBUS6f (ORCPT ); Tue, 21 Feb 2017 13:58:35 -0500 Received: from cody (cody.ogc.int [10.10.0.240]) by smtp.opengridcomputing.com (Postfix) with ESMTPS id 02BC329E88; Tue, 21 Feb 2017 12:58:34 -0600 (CST) From: "Steve Wise" To: "'Hefty, Sean'" , "'Shaobo'" , Cc: , , References: <003d01d28c09$46d1e200$d475a600$@cs.utah.edu> <1828884A29C6694DAF28B7E6B8A82373AB0E99BB@ORSMSX109.amr.corp.intel.com> In-Reply-To: <1828884A29C6694DAF28B7E6B8A82373AB0E99BB@ORSMSX109.amr.corp.intel.com> Subject: RE: Potential NULL pointer dereference in drivers/infiniband/core Date: Tue, 21 Feb 2017 12:58:37 -0600 Message-ID: <037c01d28c74$81f7ee90$85e7cbb0$@opengridcomputing.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQGogYjZAwFwFiBxqdPBygJ6kS2qgQMm5Duzoa6uFpA= Content-Language: en-us Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP > > Steve, > > Can you look at the iWarp code flow described below? sure: > > > My name is Shaobo He and I am a graduate student at University of Utah. > > I am applying a static analysis tool to the Linux device drivers and > > got an error trace of null pointer dereference in > > drivers/infiniband/core starting from function `ucma_accept`: it calls > > `rdma_accept` with the second argument being NULL. In `rdma_accept`, > > `cma_accept_iw` is called with the second argument also being NULL. > > Then in `cma_accept_iw`, `cma_modify_qp_rtr` can return 0 if `id_priv- > > >id.qp` is NULL, which can be suggested by an if statement in > > `rdma_accept`. Finally, the second argument `conn_param` of > > `cma_accept_iw` gets dereferenced. As you can see, the error trace is > > only plausible since it depends on certain conditions. Therefore, I was > > wondering if you could confirm it. > > Based on a quick look, this looks like it's at least a problem in how conn_param is > verified. IB allows conn_param to be optional, whereas iWarp requires it. Since > this is coming from user space, we can crash. > Agreed. cma_accept_iw() needs to either fail the accept for a NULL conn_param, or generate values for the iw_param struct if conn_param is NULL. I suggest the former. Something like: --- Steve. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index 3e70a9c..c377afc 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -3583,6 +3583,9 @@ static int cma_accept_iw(struct rdma_id_private *id_priv, struct iw_cm_conn_param iw_param; int ret; + if (!conn_param) + return -EINVAL; + ret = cma_modify_qp_rtr(id_priv, conn_param); if (ret) return ret;