From nobody Mon May 4 13:06:35 2026 Received: from mail-dy1-f179.google.com (mail-dy1-f179.google.com [74.125.82.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6E4E314A90 for ; Mon, 4 May 2026 08:05:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777881906; cv=none; b=nirlMx+zRrDalLwEbhELokbg8fDrfsh7c7inEcPzZk3X/WGG6My/CeaEn+SWA71BiSfDGHGgbUdQN+ThoABY8fo1FtnbgAJ2vMjuykHra4cpx6gcHZkl9A7y9X1iAxcwaM7bbnnV81/z/Va2qPYVGrdOzFyOAmgYHOPcdfsgcVY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777881906; c=relaxed/simple; bh=TzBZ5d6t1avGrBuVqX8j20XzTnEYIlJHq0BqR6MK4pg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=QEGHCt0m6nwqaMVhwGOFtrZXqmeweJWJvQ8NkQFBj37XTgrRe6v/UPshDXxiauIAP1UzEG2FQhj1BdOAU99dTQwvLJRfAWhg1BoJq9PIqVWOdUKS+0IL6cQ1TdAkFqmdVzNje1Ni4YfVKTtdwtCs3UnQqzKxIdeO/RUlBAPdZgA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=h2Lyx1Si; arc=none smtp.client-ip=74.125.82.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="h2Lyx1Si" Received: by mail-dy1-f179.google.com with SMTP id 5a478bee46e88-2ba9c484e5eso4092593eec.1 for ; Mon, 04 May 2026 01:05:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777881904; x=1778486704; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=XshvABmAm/1LOdjBec6SaTsaXNuMFtJtTQSgJo3OP2A=; b=h2Lyx1Si1enFDnEWAkgiv3e9AXqgOlf4NWoW1COPaQeXQWccm/jv925EaGS4ZAPYl1 zKQLZRjF4qZmQd0ZLa7B+KciLztcpj4STF23sY2xguaHyLDxHnwDvkERk4HxtXfx+pxN VWFJF5/4gqcA0Qbztrl8yP8PESnQ24x3prVKwNq1wbjsVi+59jb7DKzSVCE5DbNaZ7Hx UIyFhaPr5dzSQS5rTUrK6m4oiDGa/pt69M2fvwgzuMdDEQNSvB5RDPA6l9rUMJwZAg6W VFqV3+xn2HX7RmFQzPyZO8rKXSASVNqsWHfjViJCcd0z8B9TEGqZHrxqNjolFaOP0+Dl z78g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777881904; x=1778486704; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XshvABmAm/1LOdjBec6SaTsaXNuMFtJtTQSgJo3OP2A=; b=LUwfJUUmOaiRfnu87iP9EBye86sJB2aSf1h5zSiT5wI6EDiJDJP0TbMDE/uh8wGrqB lf4F7WUB8u27Tt05XKDpSz9c2kl6AY0JI3uvpzNssWVrg1Z6XuqWDe2GFb9doe+EtpyT QMPaP/s/RZlx5Ge592bwX9U+RmuUa7PMfQaArZJBCQj8bMq4NMYKW89tDg6tCPO4Opnb VYJvwskT+lDfYVjkA6BaGTtvwgZpAVOjoja6N4pxUbZdwMR+S7IXXSJV1laQ5ZEBLyWc Rt8cQ9npz3YNXmZdi1TDH/Knmu01PxbTNg9ua2TzF9HjV77klj/5t/q36iykdiGQ6w52 l3mQ== X-Forwarded-Encrypted: i=1; AFNElJ9UDGnL4gm1B8UIl6skDyv5RTagX/w7fDV/RYtv2Ku0ceiHbWo8LurHlB+aLiOHnwD193/26UF22TSOUUM=@vger.kernel.org X-Gm-Message-State: AOJu0Yx873/jgLNVZhcHGhdpinLxg819ubBf3kldZ6ai88MTRuBabAvz v2VSuBt3j1DbXumMCyPwvQZYjmN1Ylibo0fQ12EMDXOp+prEQsarzDE= X-Gm-Gg: AeBDietZ+iWWnjT2kfLwVNsfC3d1LXVaM9+5IL/4nMiBi9UHm3DuBONcUfTCjVxrj+W W38VrpLrlp07Emx40tBFSIg0odrakdB0A0j+flwiFfG1rSQXRN7omz1qhU4neHORf3B/RbG0yQp 6QI3xxPTgEwE0JwayAPl+pLqX0sBaIm7Lx7+CCm5jzAq6WrDVb8wpBkAsIj1NHDznJEF23l3qhw g+SEDxcxXzlS0ZzrF+OGhkDJLNI3h3/Wv+0XoWDGrcbknvumzeTDSpYaz9Lh087ekoCtRvHY6FD 65ll5cUkmoexqSABiqUrqsTsz2Kd94FSJUmPb0fS1TL2MeJkZ0EHZLTgtqomwer8TpbSudpnWI0 V8qHcUgMkxy6XBJRJkLGpkky4BDx2/keQTnvNE1HsMGSKX+bCIq9+sAK1k0Tj+BUcK6jF6lsRLs UyKfYdVoMI3gGST+wNNtCIIFUrpA/UF75eQlF8aa6zgh1leBJChlZ9yfp8/fQFnVu/Yn1LUnxD X-Received: by 2002:a05:7301:e25:b0:2ed:e14:42e5 with SMTP id 5a478bee46e88-2efba4a8667mr3520504eec.30.1777881903908; Mon, 04 May 2026 01:05:03 -0700 (PDT) Received: from A02816.. (c-73-71-102-182.hsd1.ca.comcast.net. [73.71.102.182]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2ee38d78391sm20198312eec.7.2026.05.04.01.05.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 01:05:03 -0700 (PDT) From: Sara Venkatesh To: bvanassche@acm.org, jgg@ziepe.ca Cc: leon@kernel.org, dledford@redhat.com, linux-rdma@vger.kernel.org, target-devel@vger.kernel.org, linux-kernel@vger.kernel.org, carlos.bilbao@kernel.org, Sara Venkatesh Subject: [PATCH] RDMA/srpt: fix integer overflow in immediate data length check Date: Mon, 4 May 2026 01:00:36 -0700 Message-ID: <20260504080036.3482415-1-sarajvenkatesh@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" imm_buf->len is a user-controlled uint32_t received from the network. Adding it to imm_data_offset without overflow checking allows a malicious initiator to send len=3D0xFFFFFFFF, causing req_size to wrap around to a small value, bypassing the bounds check, and subsequently passing a ~4GB length to sg_init_one(). Use check_add_overflow() to detect wrapping before the comparison. Fixes: 5dabcd0456d7 ("RDMA/srpt: Add support for immediate data") Reported-by: Carlos Bilbao (Lambda) Signed-off-by: Sara Venkatesh Reviewed-by: Carlos Bilbao (Lambda) --- drivers/infiniband/ulp/srpt/ib_srpt.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp= /srpt/ib_srpt.c index 9aec5d80117f..f66cfd70c263 100644 --- a/drivers/infiniband/ulp/srpt/ib_srpt.c +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c @@ -1129,9 +1129,10 @@ static int srpt_get_desc_tbl(struct srpt_recv_ioctx = *recv_ioctx, struct srp_imm_buf *imm_buf =3D srpt_get_desc_buf(srp_cmd); void *data =3D (void *)srp_cmd + imm_data_offset; uint32_t len =3D be32_to_cpu(imm_buf->len); - uint32_t req_size =3D imm_data_offset + len; + uint32_t req_size; =20 - if (req_size > srp_max_req_size) { + if (check_add_overflow((uint32_t)imm_data_offset, len, &req_size) || + req_size > srp_max_req_size) { pr_err("Immediate data (length %d + %d) exceeds request size %d\n", imm_data_offset, len, srp_max_req_size); return -EINVAL; --=20 2.43.0