From patchwork Fri Mar 30 04:24:55 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg Thelen <gthelen@google.com>
X-Patchwork-Id: 10316969
Return-Path: <linux-rdma-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	51A5860383 for <patchwork-linux-rdma@patchwork.kernel.org>;
	Fri, 30 Mar 2018 04:25:27 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 373612A498
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Fri, 30 Mar 2018 04:25:27 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 29A902A49E; Fri, 30 Mar 2018 04:25:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A0DF82A498
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Fri, 30 Mar 2018 04:25:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750765AbeC3EZZ (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Fri, 30 Mar 2018 00:25:25 -0400
Received: from mail-pf0-f194.google.com ([209.85.192.194]:46515 "EHLO
	mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750741AbeC3EZY (ORCPT
	<rfc822; linux-rdma@vger.kernel.org>); Fri, 30 Mar 2018 00:25:24 -0400
Received: by mail-pf0-f194.google.com with SMTP id h69so4685590pfe.13
	for <linux-rdma@vger.kernel.org>;
	Thu, 29 Mar 2018 21:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=R5DtMlqZHrWko5bhCK2DDd4cprsiSJx3Ws7FzagPq0s=;
	b=bXLGbFQGV6QxsWQ+0LQzHvw0OP4/sTTDzkYAgoyTbu/FXsZy4+6oj4eLzQWSuYs73l
	g4RaRy3xOZtX3tzHGxD8oNfDccjGh+2634LQgdLl8AOHDmvtNR51xf1UUq/pzsji9i6K
	ERBC4mvYIY3twGxci19cjcxDAf9Ul6WMLio8Y/MTc2tMGXb+LLh0f1e0hvKuvBbK567W
	6ydBZwW3J4B4mHeVAnE9LQl0WEFc4qPCwKSH/rX4nU8ZjS0o6Y6Z7aFo+yuhCTtpNzXs
	TIiY8lzxkNXFjVp76y9ZvfCQBrcPrAPFXYjOOE5R4QLXvLeVPs4h6kh6SeFkg0fScVVQ
	K5nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=R5DtMlqZHrWko5bhCK2DDd4cprsiSJx3Ws7FzagPq0s=;
	b=M73JBl7NQiwF4xB1cfewNRzsvJaF00C3NEALOogise3FLLCHMHIHd/Ne4e/kpLsq8+
	cETDeZIy+iM9sy5207BAZkqznfRL5o10cLS+kJJPXQLBEbXlzV63IlfIC5kWaE5ozHNv
	AnuZbK2RuMqmRkfZ2qb4g3uQzBFIEHkj5cEW3RTTgx8xrIBVcVuBx/vQauBUQCsOyxiJ
	HVOPPCrk2VY4EHyLByxn5UB04bloul0+bMqXEUy5CNH0W2HdnpGL4Y+RRm6jWysn3C7m
	KcIoxQe9uTaPeK+OnQ+fO++QaAB3htst7KyoPfX7K8ZbC9Hy4s3JF7D7rBB0+M1X90XN
	vBRg==
X-Gm-Message-State: AElRT7HQ8uhPSssyU+KXzsrOyoOc+4/0jJu03SwG3DItiKvEN77JCL30
	DX3VG8+Wvb49K0Ox0u1lVB3ZVQ==
X-Google-Smtp-Source: 
 AIpwx48SwHG30hdEfxNK6p/4hWw9X55ch4bqMWCyo87uIdMxIRBgqAN9aXDJmZO/0odtTbjMQyqXfg==
X-Received: by 2002:a17:902:102a:: with SMTP id
	b39-v6mr6581112pla.112.1522383923167;
	Thu, 29 Mar 2018 21:25:23 -0700 (PDT)
Received: from gthelen.svl.corp.google.com
	([2620:15c:2cb:201:7fd0:97b4:747b:9bf1])
	by smtp.gmail.com with ESMTPSA id
	r8sm12898691pgn.19.2018.03.29.21.25.21
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 29 Mar 2018 21:25:22 -0700 (PDT)
From: Greg Thelen <gthelen@google.com>
To: Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@ziepe.ca>,
	Sean Hefty <sean.hefty@intel.com>
Cc: linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org,
	Greg Thelen <gthelen@google.com>
Subject: [PATCH] RDMA/ucma: reject AF_IB ip multicast requests
Date: Thu, 29 Mar 2018 21:24:55 -0700
Message-Id: <20180330042455.81032-1-gthelen@google.com>
X-Mailer: git-send-email 2.17.0.rc1.321.gba9d0f2565-goog
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

syzbot discovered that ucma_join_ip_multicast() mishandles AF_IB request
addresses.  If an RDMA_USER_CM_CMD_JOIN_IP_MCAST request has
cmd.addr.sa_family=AF_IB then ucma_join_ip_multicast() reads beyond the
end of its cmd.addr.

Reject non IP RDMA_USER_CM_CMD_JOIN_IP_MCAST requests.
RDMA_USER_CM_CMD_JOIN_MCAST is interface for AF_IB multicast.

And add a buffer length safety check.

Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
Signed-off-by: Greg Thelen <gthelen@google.com>
---
 drivers/infiniband/core/ucma.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index e5a1e7d81326..e410e03940ff 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1423,11 +1423,19 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file,
 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
 		return -EFAULT;
 
+	switch (cmd.addr.sin6_family) {
+	case AF_INET:
+	case AF_INET6:
+		break;
+	default:
+		return -EINVAL;
+	}
+
 	join_cmd.response = cmd.response;
 	join_cmd.uid = cmd.uid;
 	join_cmd.id = cmd.id;
 	join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
-	if (!join_cmd.addr_size)
+	if (!join_cmd.addr_size || join_cmd.addr_size > sizeof(cmd.addr))
 		return -EINVAL;
 
 	join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER;