[1/3] IB/mad: Fix an array index check

Message ID	396b3fe2-6a84-efed-07de-3e6381009ad1@sandisk.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <linux-rdma-owner@kernel.org> Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates 63.163.107.225 as permitted sender) receiver=protection.outlook.com; client-ip=63.163.107.225; helo=milsmgep14.sandisk.com; Subject: [PATCH 1/3] IB/mad: Fix an array index check To: Doug Ledford <dledford@redhat.com> References: <94eb11fc-b558-b994-c933-da784caefc53@sandisk.com> CC: "linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>, Sean Hefty <sean.hefty@intel.com> From: Bart Van Assche <bart.vanassche@sandisk.com> Message-ID: <396b3fe2-6a84-efed-07de-3e6381009ad1@sandisk.com> Date: Mon, 21 Nov 2016 10:21:17 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <94eb11fc-b558-b994-c933-da784caefc53@sandisk.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; CY4PR02MB2855; 7:W68OsHdC3UJgB63Bby9Vj4ZHtzfpvkDuPJ3NJahfYMmXf6jlQvnWFHUiTxHjAxQk6mG9oebS3CvUZc+7KzGYJHIuC2n60bYvUfqLM4DK9zJvJAWjETRWrjg7yJ9SvKU1atjR9u1WJZx26DrBk62+gM4o9PgobgiSscclG0cZAQv8ZcXZaybHU2pAa5J3+JuPwP9HuTauputCsF8Ep0v7Mez/oTJAmNhnCmcDjyiHNW4rDjc6qLmT8XXPP0f7yNhrUpPqe/uzZwFeFgL/jL1YoRgT3kgHfnbTh171iJPSsvPTQmfpb3HwIf4Iz7ez4r0f212fbUGycxgzBeoxzoQ7K719sV4lP9yoH50bwrEdD7Q=; 20:rNOXg0WXazfd1q2OuHWjk5lcDyXEJOJfXmrJGjVIvecp5zedBsosIdCumKinRuEjQUsZHCvlstU6qFuEHHxDly7kye8Yhb8jAO8NwtBCTS3sijHgsyTbsYAuoegsFRm9vwCP/2mD67W/XyeDot4P3AGqTf/Ouuzhq3ZToEXsnlx1/UwecM7cea/SVm90/BC/ept3aPdVPuRFgRgJplrsepZlnrDSShARZQcTseKMzPrKfBdIxxKPxXFSQ+KjcVvE Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk

Message ID

396b3fe2-6a84-efed-07de-3e6381009ad1@sandisk.com (mailing list archive)

State

Accepted

Headers

Received-SPF: Pass (protection.outlook.com: domain of sandisk.com designates
	63.163.107.225 as permitted sender)
	receiver=protection.outlook.com; 
	client-ip=63.163.107.225; helo=milsmgep14.sandisk.com;
Subject: [PATCH 1/3] IB/mad: Fix an array index check
To: Doug Ledford <dledford@redhat.com>
References: <94eb11fc-b558-b994-c933-da784caefc53@sandisk.com>
CC: "linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
	Sean Hefty <sean.hefty@intel.com>
From: Bart Van Assche <bart.vanassche@sandisk.com>
Message-ID: <396b3fe2-6a84-efed-07de-3e6381009ad1@sandisk.com>
Date: Mon, 21 Nov 2016 10:21:17 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <94eb11fc-b558-b994-c933-da784caefc53@sandisk.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Nov 2016 18:21:23.4951
	(UTC)
X-MS-Exchange-CrossTenant-Id: fcd9ea9c-ae8c-460c-ab3c-3db42d7ac64d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=fcd9ea9c-ae8c-460c-ab3c-3db42d7ac64d;
	Ip=[63.163.107.225]; Helo=[milsmgep14.sandisk.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR02MB2855
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Bart Van Assche Nov. 21, 2016, 6:21 p.m. UTC

The array ib_mad_mgmt_class_table.method_table has MAX_MGMT_CLASS
(80) elements. Hence compare the array index with that value instead
of with IB_MGMT_MAX_METHODS (128). This patch avoids that Coverity
reports the following:

Overrunning array class->method_table of 80 8-byte elements at element index 127 (byte offset 1016) using index convert_mgmt_class(mad_hdr->mgmt_class) (which evaluates to 127).

Fixes: commit b7ab0b19a85f ("IB/mad: Verify mgmt class in received MADs")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Sean Hefty <sean.hefty@intel.com>
Cc: <stable@vger.kernel.org>
---
 drivers/infiniband/core/mad.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Hal Rosenstock Nov. 21, 2016, 8:17 p.m. UTC | #1

On 11/21/2016 1:21 PM, Bart Van Assche wrote:
> The array ib_mad_mgmt_class_table.method_table has MAX_MGMT_CLASS
> (80) elements. Hence compare the array index with that value instead
> of with IB_MGMT_MAX_METHODS (128). This patch avoids that Coverity
> reports the following:
> 
> Overrunning array class->method_table of 80 8-byte elements at element index 127 (byte offset 1016) using index convert_mgmt_class(mad_hdr->mgmt_class) (which evaluates to 127).
> 
> Fixes: commit b7ab0b19a85f ("IB/mad: Verify mgmt class in received MADs")
> Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>

Reviewed-by: Hal Rosenstock <hal@mellanox.com>

> Cc: Sean Hefty <sean.hefty@intel.com>
> Cc: <stable@vger.kernel.org>
> ---
>  drivers/infiniband/core/mad.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
> index 40cbd6b..2395fe2 100644
> --- a/drivers/infiniband/core/mad.c
> +++ b/drivers/infiniband/core/mad.c
> @@ -1746,7 +1746,7 @@ find_mad_agent(struct ib_mad_port_private *port_priv,
>  			if (!class)
>  				goto out;
>  			if (convert_mgmt_class(mad_hdr->mgmt_class) >=
> -			    IB_MGMT_MAX_METHODS)
> +			    ARRAY_SIZE(class->method_table))
>  				goto out;
>  			method = class->method_table[convert_mgmt_class(
>  							mad_hdr->mgmt_class)];
> 

I think there is also similar thing in missing check in ib_register_mad_agent where:

        /*
         * Make sure MAD registration (if supplied)
         * is non overlapping with any existing ones
         */
        if (mad_reg_req) {
                mgmt_class = convert_mgmt_class(mad_reg_req->mgmt_class);
                if (!is_vendor_class(mgmt_class)) {
                        class = port_priv->version[mad_reg_req->
                                                   mgmt_class_version].class;
                        if (class) {
                                method = class->method_table[mgmt_class];

so here the class' method_table is also accessed without checking mgmt_class for range violation, right ?

-- Hal

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Bart Van Assche Nov. 21, 2016, 8:52 p.m. UTC | #2

On 11/21/2016 12:17 PM, Hal Rosenstock wrote:
> I think there is also similar thing in missing check in ib_register_mad_agent where:
> 
>         /*
>          * Make sure MAD registration (if supplied)
>          * is non overlapping with any existing ones
>          */
>         if (mad_reg_req) {
>                 mgmt_class = convert_mgmt_class(mad_reg_req->mgmt_class);
>                 if (!is_vendor_class(mgmt_class)) {
>                         class = port_priv->version[mad_reg_req->
>                                                    mgmt_class_version].class;
>                         if (class) {
>                                 method = class->method_table[mgmt_class];
> 
> so here the class' method_table is also accessed without checking mgmt_class for range violation, right ?

Hello Hal,

I think such a check is already present in ib_register_mad_agent():

		if (mad_reg_req->mgmt_class >= MAX_MGMT_CLASS) {
			/*
			 * IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE is the only
			 * one in this range currently allowed
			 */
			if (mad_reg_req->mgmt_class !=
			    IB_MGMT_CLASS_SUBN_DIRECTED_ROUTE) {
				dev_notice(&device->dev,
					   "%s: Invalid Mgmt Class 0x%x\n",
					   __func__, mad_reg_req->mgmt_class);
				goto error1;
			}
		} [ ... ]

Bart.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Hal Rosenstock Nov. 21, 2016, 9:17 p.m. UTC | #3

Hi Bart,

On 11/21/2016 3:52 PM, Bart Van Assche wrote:
> Hello Hal,
> 
> I think such a check is already present in ib_register_mad_agent():
> 
> 		if (mad_reg_req->mgmt_class >= MAX_MGMT_CLASS) {

You're right.

-- Hal
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Ira Weiny Nov. 22, 2016, 4:48 p.m. UTC | #4

PiANCj4gVGhlIGFycmF5IGliX21hZF9tZ210X2NsYXNzX3RhYmxlLm1ldGhvZF90YWJsZSBoYXMg
TUFYX01HTVRfQ0xBU1MNCj4gKDgwKSBlbGVtZW50cy4gSGVuY2UgY29tcGFyZSB0aGUgYXJyYXkg
aW5kZXggd2l0aCB0aGF0IHZhbHVlIGluc3RlYWQgb2Ygd2l0aA0KPiBJQl9NR01UX01BWF9NRVRI
T0RTICgxMjgpLiBUaGlzIHBhdGNoIGF2b2lkcyB0aGF0IENvdmVyaXR5IHJlcG9ydHMgdGhlDQo+
IGZvbGxvd2luZzoNCj4gDQo+IE92ZXJydW5uaW5nIGFycmF5IGNsYXNzLT5tZXRob2RfdGFibGUg
b2YgODAgOC1ieXRlIGVsZW1lbnRzIGF0IGVsZW1lbnQgaW5kZXgNCj4gMTI3IChieXRlIG9mZnNl
dCAxMDE2KSB1c2luZyBpbmRleCBjb252ZXJ0X21nbXRfY2xhc3MobWFkX2hkci0NCj4gPm1nbXRf
Y2xhc3MpICh3aGljaCBldmFsdWF0ZXMgdG8gMTI3KS4NCj4gDQo+IEZpeGVzOiBjb21taXQgYjdh
YjBiMTlhODVmICgiSUIvbWFkOiBWZXJpZnkgbWdtdCBjbGFzcyBpbiByZWNlaXZlZCBNQURzIikN
Cj4gU2lnbmVkLW9mZi1ieTogQmFydCBWYW4gQXNzY2hlIDxiYXJ0LnZhbmFzc2NoZUBzYW5kaXNr
LmNvbT4NCj4gQ2M6IFNlYW4gSGVmdHkgPHNlYW4uaGVmdHlAaW50ZWwuY29tPg0KPiBDYzogPHN0
YWJsZUB2Z2VyLmtlcm5lbC5vcmc+DQoNClRoYW5rcyENCg0KUmV2aWV3ZWQtYnk6IElyYSBXZWlu
eSA8aXJhLndlaW55QGludGVsLmNvbT4NCg0KPiAtLS0NCj4gIGRyaXZlcnMvaW5maW5pYmFuZC9j
b3JlL21hZC5jIHwgMiArLQ0KPiAgMSBmaWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRl
bGV0aW9uKC0pDQo+IA0KPiBkaWZmIC0tZ2l0IGEvZHJpdmVycy9pbmZpbmliYW5kL2NvcmUvbWFk
LmMgYi9kcml2ZXJzL2luZmluaWJhbmQvY29yZS9tYWQuYyBpbmRleA0KPiA0MGNiZDZiLi4yMzk1
ZmUyIDEwMDY0NA0KPiAtLS0gYS9kcml2ZXJzL2luZmluaWJhbmQvY29yZS9tYWQuYw0KPiArKysg
Yi9kcml2ZXJzL2luZmluaWJhbmQvY29yZS9tYWQuYw0KPiBAQCAtMTc0Niw3ICsxNzQ2LDcgQEAg
ZmluZF9tYWRfYWdlbnQoc3RydWN0IGliX21hZF9wb3J0X3ByaXZhdGUNCj4gKnBvcnRfcHJpdiwN
Cj4gIAkJCWlmICghY2xhc3MpDQo+ICAJCQkJZ290byBvdXQ7DQo+ICAJCQlpZiAoY29udmVydF9t
Z210X2NsYXNzKG1hZF9oZHItPm1nbXRfY2xhc3MpID49DQo+IC0JCQkgICAgSUJfTUdNVF9NQVhf
TUVUSE9EUykNCj4gKwkJCSAgICBBUlJBWV9TSVpFKGNsYXNzLT5tZXRob2RfdGFibGUpKQ0KPiAg
CQkJCWdvdG8gb3V0Ow0KPiAgCQkJbWV0aG9kID0gY2xhc3MtPm1ldGhvZF90YWJsZVtjb252ZXJ0
X21nbXRfY2xhc3MoDQo+ICAJCQkJCQkJbWFkX2hkci0NCj4gPm1nbXRfY2xhc3MpXTsNCj4gLS0N
Cj4gMi4xMC4yDQo+IA0KPiANCj4gLS0NCj4gVG8gdW5zdWJzY3JpYmUgZnJvbSB0aGlzIGxpc3Q6
IHNlbmQgdGhlIGxpbmUgInVuc3Vic2NyaWJlIGxpbnV4LXJkbWEiIGluDQo+IHRoZSBib2R5IG9m
IGEgbWVzc2FnZSB0byBtYWpvcmRvbW9Admdlci5rZXJuZWwub3JnDQo+IE1vcmUgbWFqb3Jkb21v
IGluZm8gYXQgIGh0dHA6Ly92Z2VyLmtlcm5lbC5vcmcvbWFqb3Jkb21vLWluZm8uaHRtbA0K
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 40cbd6b..2395fe2 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -1746,7 +1746,7 @@  find_mad_agent(struct ib_mad_port_private *port_priv,
 			if (!class)
 				goto out;
 			if (convert_mgmt_class(mad_hdr->mgmt_class) >=
-			    IB_MGMT_MAX_METHODS)
+			    ARRAY_SIZE(class->method_table))
 				goto out;
 			method = class->method_table[convert_mgmt_class(
 							mad_hdr->mgmt_class)];

[1/3] IB/mad: Fix an array index check

Commit Message

Comments

Patch