| Message ID | 20221115170747.1263298-1-bmt@zurich.ibm.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | RDMA/siw: Set defined status for work completion with undefined status | expand |
On Tue, Nov 15, 2022 at 06:07:47PM +0100, Bernard Metzler wrote: > A malicious user may write undefined values into memory mapped completion > queue elements status or opcode. Undefined status or opcode values will > result in out-of-bounds access to an array mapping siw internal > representation of opcode and status to RDMA core representation when > reaping CQ elements. While siw detects those undefined values, > it did not correctly set completion status to a defined value, thus > defeating the whole purpose of the check. > > This bug leads to the following Smatch static checker warning: > > drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe() > error: buffer overflow 'map_cqe_status' 10 <= 21 > > Fixes: bdf1da5df9da: ("RDMA/siw: Fix immediate work request flush to completion queue") > Reported-by: Dan Carpenter <error27@gmail.com> > Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com> > --- > drivers/infiniband/sw/siw/siw_cq.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Applied to for-next, thanks Jason
diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c index acc7bcd538b5..403029de6b92 100644 --- a/drivers/infiniband/sw/siw/siw_cq.c +++ b/drivers/infiniband/sw/siw/siw_cq.c @@ -88,9 +88,9 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc) if (opcode >= SIW_NUM_OPCODES) { opcode = 0; - status = IB_WC_GENERAL_ERR; + status = SIW_WC_GENERAL_ERR; } else if (status >= SIW_NUM_WC_STATUS) { - status = IB_WC_GENERAL_ERR; + status = SIW_WC_GENERAL_ERR; } wc->opcode = map_wc_opcode[opcode]; wc->status = map_cqe_status[status].ib;
A malicious user may write undefined values into memory mapped completion queue elements status or opcode. Undefined status or opcode values will result in out-of-bounds access to an array mapping siw internal representation of opcode and status to RDMA core representation when reaping CQ elements. While siw detects those undefined values, it did not correctly set completion status to a defined value, thus defeating the whole purpose of the check. This bug leads to the following Smatch static checker warning: drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe() error: buffer overflow 'map_cqe_status' 10 <= 21 Fixes: bdf1da5df9da: ("RDMA/siw: Fix immediate work request flush to completion queue") Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com> --- drivers/infiniband/sw/siw/siw_cq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)