From patchwork Thu Nov 12 11:48:50 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hal Rosenstock X-Patchwork-Id: 7601191 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id DB0AB9F1C2 for ; Thu, 12 Nov 2015 11:48:59 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 02CFA2072B for ; Thu, 12 Nov 2015 11:48:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D596F20515 for ; Thu, 12 Nov 2015 11:48:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754099AbbKLLs4 (ORCPT ); Thu, 12 Nov 2015 06:48:56 -0500 Received: from mail-wm0-f53.google.com ([74.125.82.53]:37574 "EHLO mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753927AbbKLLsz (ORCPT ); Thu, 12 Nov 2015 06:48:55 -0500 Received: by wmww144 with SMTP id w144so84655425wmw.0 for ; Thu, 12 Nov 2015 03:48:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dev_mellanox_co_il.20150623.gappssmtp.com; s=20150623; h=to:cc:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=zDt1mi8Z3xkgFUsULYqk5Fz4CBBwYhA5jaeTfxFKYTI=; b=SR/JgBThHmGcgEGn9P98c++zhhRPKXsU3n1wFYAmjz9FAi3c2iECsT0Xvk3zTkZINs QXAe0pwYG1wPNvVQzkc9OC+C9u6dtMRuVL8gwGbJ0oPbQ7ilrCo1AwPfHa0rcifTE5A0 XGbswIzMmjO3U+Cjusfqpr5jsVSaGqIlr8JGbxdMt4h17f0/KfbSn9CV/X/slPlNtTdE 8dyvxVyYd9oQ4CQ3UOvV45TcfIinSjvZsFDHMh6woP0hPPiAilZMEgqqduEJ77Os+7QX NIpQIkIj/nl/ok2DyfFv8rhgxYNlzfeUeGHnpx27Xv8WnSSYZkUyKUGCF/vtdH+H4Zpr nBtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=zDt1mi8Z3xkgFUsULYqk5Fz4CBBwYhA5jaeTfxFKYTI=; b=atMO7eLhcXhah4yZWGfy8Ik2B6fHRPzWPfmP3YrvPsEe/7dDN17HkIWkLkP++IiH7J fFbEElzS4myRIaOEFdjDwIajtaALwGS7Hd2GjPB56394uGPjoVUmcMWpduv23YZpJZIE x4XmCSzR2IXfheE6oncTmR0bCqbveoPPbtICA/gNn2CpocBiY5qzfCLNQ+BhkAGoRKVP LGVPdq86ppuCMpu/OLVkt+UPHzvvdod/JdXfPnaAkgNKHnFjZ+fXKchDfGnQPS+nU9bL 5jyB0+GMOGJ9YFMnFRbo6V8UN9JXQSwWczBsxoy+9soGNr/lb9cAG/kzU4tSTG8MIyew m6vA== X-Gm-Message-State: ALoCoQkxE++PvIXsnV0XixtO2OX37SAZ4nn11+Hb069bXi09XEuCBL19yhlncM6PgT/giIJmBJ7X X-Received: by 10.195.13.38 with SMTP id ev6mr15777947wjd.150.1447328934140; Thu, 12 Nov 2015 03:48:54 -0800 (PST) Received: from [10.222.163.115] ([193.47.165.251]) by smtp.googlemail.com with ESMTPSA id s189sm12006295wmf.16.2015.11.12.03.48.52 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Nov 2015 03:48:53 -0800 (PST) To: Doug Ledford , "Hefty, Sean" Cc: "linux-rdma@vger.kernel.org" , Sagi Grimberg , Bart Van Assche From: Hal Rosenstock Subject: [PATCH] IB/mad: In validate_mad, validate CM method and attribute Message-ID: <56447CA2.1070802@dev.mellanox.co.il> Date: Thu, 12 Nov 2015 13:48:50 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Receipt of CM MAD with response method for other than ClassPortInfo attribute is invalid. CM attributes other than ClassPortInfo use send method only and GetResp is valid for ClassPortInfo attribute. Note also that the CM ClassPortInfo is not currently supported. The SRP initiator does not maintain a timeout policy for CM connect requests relies on the CM layer to do that. The result was that the SRP initiator hung as the connect request never completed. A new SRP target has been observed to respond to Send CM REQ with GetResp of CM REQ with bad status. This is non conformant with IBA spec but exposes a vulnerability in the current MAD/CM code which will respond to the incoming GetResp of CM REQ as if it was a valid incoming Send of CM REQ rather than tossing this on the floor. It also causes the MAD layer not to retransmit the original REQ even though it has not received a REP. Reviewed-by: Sagi Grimberg Signed-off-by: Hal Rosenstock Reviewed-by: Sean Hefty --- drivers/infiniband/core/mad.c | 8 ++++++++ include/rdma/ib_mad.h | 2 ++ 2 files changed, 10 insertions(+), 0 deletions(-) diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c index 8d8af7a..e2d425f 100644 --- a/drivers/infiniband/core/mad.c +++ b/drivers/infiniband/core/mad.c @@ -1811,6 +1811,14 @@ static int validate_mad(const struct ib_mad_hdr *mad_hdr, if (qp_num == 0) valid = 1; } else { + /* CM attributes other than ClassPortInfo only use Send method */ + if (mad_hdr->mgmt_class == IB_MGMT_CLASS_CM) { + if (mad_hdr->attr_id != IB_MGMT_CLASSPORTINFO_ATTR_ID) { + if (mad_hdr->method != IB_MGMT_METHOD_SEND) + goto out; + } else if (mad_hdr->method != IB_MGMT_METHOD_GET_RESP) + goto out; + } /* Filter GSI packets sent to QP0 */ if (qp_num != 0) valid = 1; diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h index 188df91..ec9b44d 100644 --- a/include/rdma/ib_mad.h +++ b/include/rdma/ib_mad.h @@ -237,6 +237,8 @@ struct ib_vendor_mad { u8 data[IB_MGMT_VENDOR_DATA]; }; +#define IB_MGMT_CLASSPORTINFO_ATTR_ID cpu_to_be16(0x0001) + struct ib_class_port_info { u8 base_version; u8 class_version;