From nobody Sun Feb 8 22:34:59 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=gmail.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1552747010783704.4682622221167; Sat, 16 Mar 2019 07:36:50 -0700 (PDT) Received: from localhost ([127.0.0.1]:42580 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h5AQS-00027Z-BG for importer@patchew.org; Sat, 16 Mar 2019 10:36:40 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49513) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h5AOM-0000lX-CZ for qemu-devel@nongnu.org; Sat, 16 Mar 2019 10:34:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h5AOK-0000UG-On for qemu-devel@nongnu.org; Sat, 16 Mar 2019 10:34:30 -0400 Received: from mail-wm1-x32b.google.com ([2a00:1450:4864:20::32b]:53742) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h5AOK-0000Te-Bg for qemu-devel@nongnu.org; Sat, 16 Mar 2019 10:34:28 -0400 Received: by mail-wm1-x32b.google.com with SMTP id e74so9042514wmg.3 for ; Sat, 16 Mar 2019 07:34:28 -0700 (PDT) Received: from localhost.localdomain ([176.228.155.165]) by smtp.gmail.com with ESMTPSA id l8sm7518895wrv.45.2019.03.16.07.34.25 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 16 Mar 2019 07:34:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=oeCLUJeqFX/3m5HV9T/ZaQf5IsaonoxH4mRVJIXrSBc=; b=B5bmBK2AmsAuCQB+mLLYmZu7e2QUC9PNp6ognPPLc+wtICGQgoYUl1eKdf+a+kB3y6 rqsdAqwxHsJwAdJucp7CX5IhUYCIjk5L1aJf+SL387v2iHo85JoeXqRJdZhWTXC57Np8 WK0BlXBIw3CHgtP4bpmlufQS7k/V8cn1sisK3WXKeW65DsDUjtGSSmbHtkEBo0ISmr+d WQeFElGGy5ghr8ebEHQpltxqHISWs9Z7Ym4Js3NtdbmoZ6woYWALYU5lQ5yp4hLdgKA4 O919OzWlBBDToZZvaooQocU3lfHOFmz/0tnqo+513qn/PjxjaKFXznv15Ml65c5HiaLJ KfpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=oeCLUJeqFX/3m5HV9T/ZaQf5IsaonoxH4mRVJIXrSBc=; b=gDq7o0VLEPKyoU0qQPqWcAYMobZvA/XNnyyf0M03KbNJzJI9O2jtpb84fXiLF0CFOs Gx5MEGxAok6/OsvGrZ/SCbpsiLssfPtIbBfX4oAz8A8uS8yNEJ5TJ+3lb7446mBACfA/ B+9cfs3+zteno304LLJBEQMxOCEWxAY143OuGPltzg+RvfWmx6CaDWucvEC2hcrXfDqK kBpt3Baxh17w4gBAy09WnwhEwifSo+Gu5jRroFdVG869wqKjo19l9mEaFk8+7aQE1LOL iyHJvDv73h9DWEW1MD0RSNPeUbrSmkay/hCS/W2qEqpZ1DVZi0ebso3NcgVCbmHMkgR+ HhLg== X-Gm-Message-State: APjAAAV2ToQmkwa6bSHY6UFrB3O5NVTQ9QZeTH7yx3F079Obe4bCRCQh LASI3cNjl+ByqI5inAC2e8OtQ7J2 X-Google-Smtp-Source: APXvYqzSj/bGi2XUgo2w25UA8Vt8wD+4UDXpxCqz6syofqnf9uIyLGJgGur6oElGgBp+K4Vq8mdQZw== X-Received: by 2002:a05:600c:20e:: with SMTP id 14mr5960788wmi.144.1552746866844; Sat, 16 Mar 2019 07:34:26 -0700 (PDT) From: Marcel Apfelbaum To: qemu-devel@nongnu.org, peter.maydell@linaro.org Date: Sat, 16 Mar 2019 16:34:04 +0200 Message-Id: <20190316143421.8194-2-marcel.apfelbaum@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190316143421.8194-1-marcel.apfelbaum@gmail.com> References: <20190316143421.8194-1-marcel.apfelbaum@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::32b Subject: [Qemu-devel] [PATCH PULL 01/18] contrib/rdmacm-mux: Fix out-of-bounds risk X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: philmd@redhat.com, kamalheib1@gmail.com, yuval.shaia@oracle.com, dgilbert@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) From: Yuval Shaia The function get_fd extract context from the received MAD message and uses it as a key to fetch the destination fd from the mapping table. A context can be dgid in case of CM request message or comm_id in case of CM SIDR response message. When MAD message with a smaller size as expected for the message type received we are hitting out-of-bounds where we are looking for the context out of message boundaries. Fix it by validating the message size. Reported-by Sam Smith Signed-off-by: Yuval Shaia Message-Id: <20190212112347.1605-1-yuval.shaia@oracle.com> Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Marcel Apfelbaum Reported-by Sam Smith --- contrib/rdmacm-mux/main.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/contrib/rdmacm-mux/main.c b/contrib/rdmacm-mux/main.c index ae88c77a1e..21cc804367 100644 --- a/contrib/rdmacm-mux/main.c +++ b/contrib/rdmacm-mux/main.c @@ -300,7 +300,7 @@ static void hash_tbl_remove_fd_ifid_pair(int fd) pthread_rwlock_unlock(&server.lock); } =20 -static int get_fd(const char *mad, int *fd, __be64 *gid_ifid) +static int get_fd(const char *mad, int umad_len, int *fd, __be64 *gid_ifid) { struct umad_hdr *hdr =3D (struct umad_hdr *)mad; char *data =3D (char *)hdr + sizeof(*hdr); @@ -308,13 +308,35 @@ static int get_fd(const char *mad, int *fd, __be64 *g= id_ifid) uint16_t attr_id =3D be16toh(hdr->attr_id); int rc =3D 0; =20 + if (umad_len <=3D sizeof(*hdr)) { + rc =3D -EINVAL; + syslog(LOG_DEBUG, "Ignoring MAD packets with header only\n"); + goto out; + } + switch (attr_id) { case UMAD_CM_ATTR_REQ: + if (unlikely(umad_len < sizeof(*hdr) + CM_REQ_DGID_POS + + sizeof(*gid_ifid))) { + rc =3D -EINVAL; + syslog(LOG_WARNING, + "Invalid MAD packet size (%d) for attr_id 0x%x\n", umad= _len, + attr_id); + goto out; + } memcpy(gid_ifid, data + CM_REQ_DGID_POS, sizeof(*gid_ifid)); rc =3D hash_tbl_search_fd_by_ifid(fd, gid_ifid); break; =20 case UMAD_CM_ATTR_SIDR_REQ: + if (unlikely(umad_len < sizeof(*hdr) + CM_SIDR_REQ_DGID_POS + + sizeof(*gid_ifid))) { + rc =3D -EINVAL; + syslog(LOG_WARNING, + "Invalid MAD packet size (%d) for attr_id 0x%x\n", umad= _len, + attr_id); + goto out; + } memcpy(gid_ifid, data + CM_SIDR_REQ_DGID_POS, sizeof(*gid_ifid)); rc =3D hash_tbl_search_fd_by_ifid(fd, gid_ifid); break; @@ -331,6 +353,13 @@ static int get_fd(const char *mad, int *fd, __be64 *gi= d_ifid) data +=3D sizeof(comm_id); /* Fall through */ case UMAD_CM_ATTR_SIDR_REP: + if (unlikely(umad_len < sizeof(*hdr) + sizeof(comm_id))) { + rc =3D -EINVAL; + syslog(LOG_WARNING, + "Invalid MAD packet size (%d) for attr_id 0x%x\n", umad= _len, + attr_id); + goto out; + } memcpy(&comm_id, data, sizeof(comm_id)); if (comm_id) { rc =3D hash_tbl_search_fd_by_comm_id(comm_id, fd, gid_ifid); @@ -344,6 +373,7 @@ static int get_fd(const char *mad, int *fd, __be64 *gid= _ifid) =20 syslog(LOG_DEBUG, "mad_to_vm: %d 0x%x 0x%x\n", *fd, attr_id, comm_id); =20 +out: return rc; } =20 @@ -372,7 +402,8 @@ static void *umad_recv_thread_func(void *args) } while (rc && server.run); =20 if (server.run) { - rc =3D get_fd(msg.umad.mad, &fd, &msg.hdr.sgid.global.interfac= e_id); + rc =3D get_fd(msg.umad.mad, msg.umad_len, &fd, + &msg.hdr.sgid.global.interface_id); if (rc) { continue; } --=20 2.17.1