• Roland Dreier's avatar
    RDMA/ucma: Introduce safer rdma_addr_size() variants · 84652aef
    Roland Dreier authored
    There are several places in the ucma ABI where userspace can pass in a
    sockaddr but set the address family to AF_IB.  When that happens,
    rdma_addr_size() will return a size bigger than sizeof struct sockaddr_in6,
    and the ucma kernel code might end up copying past the end of a buffer
    not sized for a struct sockaddr_ib.
    
    Fix this by introducing new variants
    
        int rdma_addr_size_in6(struct sockaddr_in6 *addr);
        int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);
    
    that are type-safe for the types used in the ucma ABI and return 0 if the
    size computed is bigger than the size of the type passed in.  We can use
    these new variants to check what size userspace has passed in before
    copying any addresses.
    
    Reported-by: <syzbot+6800425d54ed3ed8135d@syzkaller.appspotmail.com>
    Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
    Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    84652aef
ucma.c 43.7 KB