From patchwork Mon Jan 22 11:24:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10178271 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6BC2F60224 for ; Mon, 22 Jan 2018 11:24:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 60F8926E54 for ; Mon, 22 Jan 2018 11:24:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 553D527F8F; Mon, 22 Jan 2018 11:24:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A5BEB26E54 for ; Mon, 22 Jan 2018 11:24:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751028AbeAVLYU (ORCPT ); Mon, 22 Jan 2018 06:24:20 -0500 Received: from mail-pf0-f193.google.com ([209.85.192.193]:44300 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750925AbeAVLYT (ORCPT ); Mon, 22 Jan 2018 06:24:19 -0500 Received: by mail-pf0-f193.google.com with SMTP id m26so6843482pfj.11 for ; Mon, 22 Jan 2018 03:24:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=5OUE+yhMW98rbWeQvy18lwj0t22zWaFK9vp1g2ZbQdA=; b=fPGPZyl4JGLF0x0zJlKVAOW23+URcUysbdlkN0tHa99awoZYs2PsmGU14IckA2jmVY uHbsQ5V/jAhuU9YCOLoaVp0q6JLoTZsLIYFvjKDtv12X2Y64P2hzA78flpiL/je3XsOb G/FPir1tY+AEfuobT7izBqTs3TK+DXJ7Bm8oE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=5OUE+yhMW98rbWeQvy18lwj0t22zWaFK9vp1g2ZbQdA=; b=DMXwRF2nu6utJFZ6Z1atPjl4L+O/BiuA6O9p68piRAI4xlGxr6OA/b30KeURHBXnq4 yW6e5QrRLDQ/P2rpyKa8QFezKGeiJJpy/ifcVuhM10w1lishJL61KZ6o0iJrD/GLbC7o M+P6UgclqgPG//11T4XzBh+Y83WBHgEim6ybeWTFYVcCkZjZ4rzovJFYY6CJcHx67sY2 PFVYipSANA0LS8Flh30MZqK8BfkNO47J/PzxRJOD8kBpW9HHnyZFdme+LWMELK99mioz +4SFU/Te7jwBqMj4iX2usvMe3OmEV5EitXbaN5jlGWufSnjRujrmsdN6IqEcv4oWLbuh 1duA== X-Gm-Message-State: AKwxytezMboCULtL+K3vusCXV+EuhE0PhiBJnprcbXuFPE290VE8ZMS/ KGU9cJFMXnxf6sN2/PK+9rqj8w== X-Google-Smtp-Source: AH8x2247kdzJbaGpxyqCXqrKUcgtnRsokvTJGyMVJwTPHPbp4oLtlIMxgv8b9bxRYn8y2aQwPInygg== X-Received: by 2002:a17:902:8a97:: with SMTP id p23-v6mr3353588plo.74.1516620258656; Mon, 22 Jan 2018 03:24:18 -0800 (PST) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id c184sm228953pfg.57.2018.01.22.03.24.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Jan 2018 03:24:17 -0800 (PST) Date: Mon, 22 Jan 2018 03:24:15 -0800 From: Kees Cook To: Santosh Shilimkar Cc: Honggang Li , linux-kernel@vger.kernel.org, Sowmini Varadhan , Steve Beattie , Andy Whitcroft , "David S. Miller" , Jay Fenlason , netdev@vger.kernel.org, linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com Subject: [PATCH] RDS: Fix rds-ping inducing kernel panic Message-ID: <20180122112415.GA41074@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP As described in: https://bugzilla.redhat.com/show_bug.cgi?id=822754 Attempting an RDS connection from the IP address of an IPoIB interface to itself causes a kernel panic due to a BUG_ON() being triggered. Making the test less strict allows rds-ping to work without crashing the machine. A local unprivileged user could use this flaw to crash the sytem. I think this fix was written by Jay Fenlason , and extracted from the RedHat kernel patches here: https://oss.oracle.com/git/gitweb.cgi?p=redpatch.git;a=commitdiff;h=c7b6a0a1d8d636852be130fa15fa8be10d4704e8 This fix appears to have been carried by at least RedHat, Oracle, and Ubuntu for several years. CVE-2012-2372 Reported-by: Honggang Li Cc: stable@vger.kernel.org Signed-off-by: Kees Cook --- This is what I get for researching CVE lifetimes... --- net/rds/ib_send.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c index 8557a1cae041..5fbf635d17cb 100644 --- a/net/rds/ib_send.c +++ b/net/rds/ib_send.c @@ -506,7 +506,7 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm, int flow_controlled = 0; int nr_sig = 0; - BUG_ON(off % RDS_FRAG_SIZE); + BUG_ON(!conn->c_loopback && off % RDS_FRAG_SIZE); BUG_ON(hdr_off != 0 && hdr_off != sizeof(struct rds_header)); /* Do not send cong updates to IB loopback */