| Message ID | 20180321180925.7756-1-shiraz.saleem@intel.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
On Wed, Mar 21, 2018 at 01:09:25PM -0500, Shiraz Saleem wrote: > From: Chien Tin Tung <chien.tin.tung@intel.com> > > The option size check is using optval instead of optlen > causing the set option call to fail. Use the correct > field, optlen, for size check. > > Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") > Signed-off-by: Chien Tin Tung <chien.tin.tung@intel.com> > Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> > --- > drivers/infiniband/core/ucma.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Thanks for catching this. Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
On Wed, Mar 21, 2018 at 08:14:28PM +0200, Leon Romanovsky wrote: > On Wed, Mar 21, 2018 at 01:09:25PM -0500, Shiraz Saleem wrote: > > From: Chien Tin Tung <chien.tin.tung@intel.com> > > > > The option size check is using optval instead of optlen > > causing the set option call to fail. Use the correct > > field, optlen, for size check. > > > > Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") > > Signed-off-by: Chien Tin Tung <chien.tin.tung@intel.com> > > Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> > > --- > > drivers/infiniband/core/ucma.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > Thanks for catching this. > > Reviewed-by: Leon Romanovsky <leonro@mellanox.com> By the way, do you plan to fix/check rest of ucma/rdma-cm bugs reported by syzkaller? Thanks
On Wed, Mar 21, 2018 at 01:09:25PM -0500, Shiraz Saleem wrote: > From: Chien Tin Tung <chien.tin.tung@intel.com> > > The option size check is using optval instead of optlen > causing the set option call to fail. Use the correct > field, optlen, for size check. > > Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") > Signed-off-by: Chien Tin Tung <chien.tin.tung@intel.com> > Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> > Reviewed-by: Leon Romanovsky <leonro@mellanox.com> > drivers/infiniband/core/ucma.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c > index e5a1e7d..60449d6 100644 > +++ b/drivers/infiniband/core/ucma.c > @@ -1307,7 +1307,7 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, > if (IS_ERR(ctx)) > return PTR_ERR(ctx); > > - if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) > + if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) > return -EINVAL; Gah! That was totally broken! applied to for-rc Thanks, Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c index e5a1e7d..60449d6 100644 --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1307,7 +1307,7 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf, if (IS_ERR(ctx)) return PTR_ERR(ctx); - if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) + if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) return -EINVAL; optval = memdup_user((void __user *) (unsigned long) cmd.optval,