From nobody Mon Jun  8 05:25:25 2026
Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com
 [209.85.219.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E86C4183CC3
	for <linux-kernel@vger.kernel.org>; Tue,  2 Jun 2026 19:46:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780429594; cv=none;
 b=ag5CVvITQsyUo+2xIDCt0GJnFuMtaDgqPdGKTdaRdmcg5rN7A5166qhNDHiHpt9fDKVsCoDQ7g/KReA6OkRtjgJQh9pEFx5FOBmiw/tlnfQgHBhuVCudw7xJzQvfEVMQSJX/R9Hr19qMtz6XJfhmIBIYgNKZYErWGpWjBJAO/QE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780429594; c=relaxed/simple;
	bh=b+0YgwUydQjZjrpamhzotWudWw/kVj/S8yOAVkMV3Oc=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=cvd8SEKp6vsNh/exhrX0Rpl63GSOrzoyAcdLxoPANC/CYEwr04/YIP9WI7WGhCTS0pjdww5zTsjma3BfeOfA4zREdve7ycVFdG+TnZB70m7UQ9MOj7bA2PBpGmCRRNKiuBP/y6oN7M3u4/oMilmGmXaP0DK2/4yYRnVr62esP4w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=LFFkA8NZ; arc=none smtp.client-ip=209.85.219.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="LFFkA8NZ"
Received: by mail-qv1-f51.google.com with SMTP id
 6a1803df08f44-8ccef25789fso29486956d6.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 02 Jun 2026 12:46:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780429592; x=1781034392;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=LXg9CW0RL7u3WIt+O2J9TMuOUmzIWnGIGXEco+AdElc=;
        b=LFFkA8NZeG4dXfHAWf7L0C0npkiMUs/hVzyDKrRFptGcXNPr8y3dio5ZmsRCZWivVO
         GS/vzRqJn/N7f2sWlVbQt/X2qI/FmwNe3hVf37h/nd8/fMfibt6tBaQs9as+kN9kH7E/
         leXnfD19LBS5OhTzV7yqY/jiemGHuZj2z1wl9Xm7MlJxbgsqGE23MS+RwqzMqGLavl5e
         gNILghx9hfKhgmHI25NYMdnk1mkzpSa3L47vGlmvVOIIIzc+U9jqEFkU98QKi+SWd/O9
         m86KnWVM5QgWVHPud6MsgDrYGF2PAKzVNu5D/r2Tr4TdWRfcN8ajXT95TriKu+cYLyRa
         LxVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780429592; x=1781034392;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LXg9CW0RL7u3WIt+O2J9TMuOUmzIWnGIGXEco+AdElc=;
        b=A2bCXb+3P34d2K4r+l7S8nhGEU8ocyX4mYxLtOKhbD9ID8qX8to/MoET9zfKy7xK1P
         DgKDrXeV39L4rECV27OFBZ3rFxwEx6AXybPXFYejQeHX+ncUceB8txQKsBGUjit5bQk/
         YmbCXqTv9AC4pUm3kzK8y9bDyxpUGab52RVuPxlKwMWO6Y+wJSYREkK/9wL5iMgJhJo2
         ihnDzS7mKoYvARWfUP71d87SAswWGb4jXprTTHphKDDaJwG/tihlTrKXqqCLg9KdQUhx
         ZBY3NnY7skGaYFrb7TxIq12TsacyIoOjIBS8kNItHOU26tYGvuQx5+CPLsNlyeWLiTSl
         WwnQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ8GjFjJlWOxDF4OT7ELehbJcXu+ZblyN5Xs/uo1R5yW25ySbasOm+XiATG0sdxBAE/iCRScbGFFofQYazk=@vger.kernel.org
X-Gm-Message-State: AOJu0YxJz8yEHkARy4Nh0ArFyXAPPigvCPPCpPSpYk9KGMrgSqO+lEYf
	ya4UCM9R2lLBnLjQOWXj1mhRrGW15oYnY7FM/H30TuJnUsiXBkZB2j3Q
X-Gm-Gg: Acq92OHhSdzkT6K6zgCO/EgRgTPfFwFrA/RQ5ei1dw4ipYdSHDNI/ide3grrxRcSzLP
	cTHtZdxR1y6/KYJN4pRau3KVepR3u356TIcsQop/wToocebMOv9u2mXUSRm5o0rPqKwLjUWlnIE
	M6xafKzDRMYsVqErjgHDnJXPlGzF9nIXISPqlkez2WSIoDQsOAlEZQiNvR4HjD91UALi8wEtEI+
	XFPWhqh1ncRW9/Qhg/T2VKJXB6DItk+4rSi3Hih0x5VjDTMZNHbglPJTRWjo1nTRfFBD/TWHWDA
	nnCbxs75CqcR7TPTSLv4I4265vKjFAdTee2v5izvMpPOHWVtSWs3FrkPtb+w+r3a0zq1oOsVAFg
	1NBVOye6BnPnLlZHdIvbpXcJxpjneQgiBJf3ICMKeAoJB3RJCeJGTRgoDnRQZ9dz/JC1T/0R86V
	B+javknjKZiRJtE3rzeyUw960iCmKy7b0piVylDsCGoBTrgYKAX5dPTPymx2rew4AyCD9b01zcj
	fzGDQXt7aVCXZofc8GsV9nRk3triAA=
X-Received: by 2002:a05:6214:3213:b0:8cc:e6fe:c77 with SMTP id
 6a1803df08f44-8cecdbfd592mr492756d6.7.1780429591829;
        Tue, 02 Jun 2026 12:46:31 -0700 (PDT)
Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8ceccdb93d8sm1059326d6.16.2026.06.02.12.46.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jun 2026 12:46:31 -0700 (PDT)
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Bart Van Assche <bvanassche@acm.org>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Leon Romanovsky <leon@kernel.org>
Cc: linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] RDMA/srp: bound SRP_RSP sense copy by the received length
Date: Tue,  2 Jun 2026 15:46:19 -0400
Message-ID: <20260602194619.2272486-1-michael.bommarito@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

srp_process_rsp() in drivers/infiniband/ulp/srp/ib_srp.c copies sense
data with the source pointer rsp->data + be32_to_cpu(rsp->resp_data_len),
where resp_data_len is the full 32-bit value supplied by the SRP target
and is never checked against the size of the receive buffer or the
number of bytes actually received (wc->byte_len).

A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and resp_data_len set to a large value such as
0xFFFFFFFF. The receive buffer is allocated at the target-chosen
max_ti_iu_len, so the copy source lands far past the allocation.

The memcpy then reads out of bounds of the kzalloc'd receive IU; with
resp_data_len near 0xFFFFFFFF the source is multiple gigabytes past the
buffer and faults.

Pass wc->byte_len into srp_process_rsp() and copy the sense data only
when the response header, the response data, and the sense region fit
within the bytes actually received; otherwise drop the sense and log.
The in-tree iSER and NVMe-RDMA receive paths already bound their parse
by wc->byte_len; this brings ib_srp into line with them.

Fixes: aef9ec39c40c ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---

Impact: a malicious or compromised SRP target the initiator has logged
into can trigger an out-of-bounds read in srp_process_rsp() by returning
an SRP_RSP with SRP_RSP_FLAG_SNSVALID and a large resp_data_len, faulting
the initiator's SRP completion path.

 drivers/infiniband/ulp/srp/ib_srp.c | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/s=
rp/ib_srp.c
index b58868e1cf11c..199d46fb12146 100644
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -1932,7 +1932,8 @@ static int srp_post_recv(struct srp_rdma_ch *ch, stru=
ct srp_iu *iu)
 	return ib_post_recv(ch->qp, &wr, NULL);
 }
=20
-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp)
+static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp,
+			    u32 byte_len)
 {
 	struct srp_target_port *target =3D ch->target;
 	struct srp_request *req;
@@ -1973,10 +1974,26 @@ static void srp_process_rsp(struct srp_rdma_ch *ch,=
 struct srp_rsp *rsp)
 		scmnd->result =3D rsp->status;
=20
 		if (rsp->flags & SRP_RSP_FLAG_SNSVALID) {
-			memcpy(scmnd->sense_buffer, rsp->data +
-			       be32_to_cpu(rsp->resp_data_len),
-			       min_t(int, be32_to_cpu(rsp->sense_data_len),
-				     SCSI_SENSE_BUFFERSIZE));
+			u32 resp_len =3D be32_to_cpu(rsp->resp_data_len);
+			u32 sense_len =3D min_t(u32,
+					      be32_to_cpu(rsp->sense_data_len),
+					      SCSI_SENSE_BUFFERSIZE);
+
+			/*
+			 * The sense data starts resp_data_len bytes past the
+			 * response data area.  Both lengths are taken from the
+			 * target controlled response, so reject a response
+			 * whose sense region would run past the bytes actually
+			 * received rather than reading out of bounds of the
+			 * receive buffer.
+			 */
+			if (sizeof(*rsp) + (u64)resp_len + sense_len <=3D byte_len)
+				memcpy(scmnd->sense_buffer,
+				       rsp->data + resp_len, sense_len);
+			else
+				shost_printk(KERN_ERR, target->scsi_host,
+					     "dropping oversized sense (resp_data_len %u sense_data_len %u) i=
n %u-byte RSP\n",
+					     resp_len, sense_len, byte_len);
 		}
=20
 		if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER))
@@ -2086,7 +2103,7 @@ static void srp_recv_done(struct ib_cq *cq, struct ib=
_wc *wc)
=20
 	switch (opcode) {
 	case SRP_RSP:
-		srp_process_rsp(ch, iu->buf);
+		srp_process_rsp(ch, iu->buf, wc->byte_len);
 		break;
=20
 	case SRP_CRED_REQ:
--=20
2.53.0