From patchwork Mon Mar 10 22:06:27 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yann Droneaud <ydroneaud@opteya.com>
X-Patchwork-Id: 3807531
Return-Path: <linux-rdma-owner@kernel.org>
X-Original-To: patchwork-linux-rdma@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 839369F2BB
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Mon, 10 Mar 2014 22:07:36 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id B05D42021C
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Mon, 10 Mar 2014 22:07:35 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id B7FD4202AE
	for <patchwork-linux-rdma@patchwork.kernel.org>;
	Mon, 10 Mar 2014 22:07:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752678AbaCJWHd (ORCPT
	<rfc822;patchwork-linux-rdma@patchwork.kernel.org>);
	Mon, 10 Mar 2014 18:07:33 -0400
Received: from smtp6-g21.free.fr ([212.27.42.6]:44672 "EHLO
	smtp6-g21.free.fr"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752337AbaCJWHd (ORCPT <rfc822;linux-rdma@vger.kernel.org>);
	Mon, 10 Mar 2014 18:07:33 -0400
Received: from localhost.localdomain (unknown
	[IPv6:2a01:e35:2e9f:6ac0:458a:825f:745b:2e3d])
	by smtp6-g21.free.fr (Postfix) with ESMTP id 3295C82283;
	Mon, 10 Mar 2014 23:07:15 +0100 (CET)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by localhost.localdomain (8.14.8/8.14.7) with ESMTP id s2AM7BWd005782;
	Mon, 10 Mar 2014 23:07:14 +0100
Received: (from ydroneaud@localhost)
	by localhost.localdomain (8.14.8/8.14.8/Submit) id s2AM7AI9005781;
	Mon, 10 Mar 2014 23:07:10 +0100
From: Yann Droneaud <ydroneaud@opteya.com>
To: Roland Dreier <roland@purestorage.com>, Roland Dreier <roland@kernel.org>
Cc: linux-rdma@vger.kernel.org, Yann Droneaud <ydroneaud@opteya.com>,
	Faisal Latif <faisal.latif@intel.com>,
	"Tatyana E. Nikolova" <tatyana.e.nikolova@intel.com>,
	Julia Lawall <julia.lawall@lip6.fr>, cocci@systeme.lip6.fr,
	stable@vger.kernel.org
Subject: [PATCH for v3.14 3/5] IB/nes: returns an error on
	ib_copy_from_udata() failure instead of NULL
Date: Mon, 10 Mar 2014 23:06:27 +0100
Message-Id: 
 <69b8f22f0d52b1c1f97b0af2b5bcecbe14cb1da2.1394485254.git.ydroneaud@opteya.com>
X-Mailer: git-send-email 1.8.5.3
In-Reply-To: <cover.1394485254.git.ydroneaud@opteya.com>
References: <cover.1394485254.git.ydroneaud@opteya.com>
In-Reply-To: <cover.1394485254.git.ydroneaud@opteya.com>
References: <cover.1394485254.git.ydroneaud@opteya.com>
Sender: linux-rdma-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-rdma.vger.kernel.org>
X-Mailing-List: linux-rdma@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In case of error while accessing to userspace memory,
function nes_create_qp() returns NULL instead of an error
code wrapped through ERR_PTR().

But NULL is not expected by ib_uverbs_create_qp(), as it
check for error with IS_ERR().

As page 0 is likely not mapped, it is going to trigger an
Oops when the kernel will try to dereference NULL pointer
to access to struct ib_qp's fields.

In some rare cases, page 0 could be mapped by userspace,
which could turn this bug to a vulnerability that could be
exploited: the function pointers in struct ib_device will be under
userspace total control.

This was caught when using spatch (aka. coccinelle)
to rewrite calls to ib_copy_{from,to}_udata().

Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null
Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci
Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com
Cc: Faisal Latif <faisal.latif@intel.com>
Cc: Tatyana E. Nikolova <tatyana.e.nikolova@intel.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Cc: cocci@systeme.lip6.fr
Cc: stable@vger.kernel.org
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
---
 drivers/infiniband/hw/nes/nes_verbs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
index 8308e3634767..eb624611f94b 100644
--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1186,7 +1186,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
 					nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num);
 					kfree(nesqp->allocated_buffer);
 					nes_debug(NES_DBG_QP, "ib_copy_from_udata() Failed \n");
-					return NULL;
+					return ERR_PTR(-EFAULT);
 				}
 				if (req.user_wqe_buffers) {
 					virt_wqs = 1;