linux/drivers/infiniband/core
Leon Romanovsky 3f802b162d RDMA/uverbs: Protect from command mask overflow
The command number is not bounds checked against the command mask before it
is shifted, resulting in an ubsan hit. This does not cause malfunction since
the command number is eventually bounds checked, but we can make this ubsan
clean by moving the bounds check to before the mask check.

================================================================================
UBSAN: Undefined behaviour in
drivers/infiniband/core/uverbs_main.c:647:21
shift exponent 207 is too large for 64-bit type 'long long unsigned int'
CPU: 0 PID: 446 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #61
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
Call Trace:
dump_stack+0xde/0x164
? dma_virt_map_sg+0x22c/0x22c
ubsan_epilogue+0xe/0x81
__ubsan_handle_shift_out_of_bounds+0x293/0x2f7
? debug_check_no_locks_freed+0x340/0x340
? __ubsan_handle_load_invalid_value+0x19b/0x19b
? lock_acquire+0x440/0x440
? lock_acquire+0x19d/0x440
? __might_fault+0xf4/0x240
? ib_uverbs_write+0x68d/0xe20
ib_uverbs_write+0x68d/0xe20
? __lock_acquire+0xcf7/0x3940
? uverbs_devnode+0x110/0x110
? cyc2ns_read_end+0x10/0x10
? sched_clock_cpu+0x18/0x200
? sched_clock_cpu+0x18/0x200
__vfs_write+0x10d/0x700
? uverbs_devnode+0x110/0x110
? kernel_read+0x170/0x170
? __fget+0x35b/0x5d0
? security_file_permission+0x93/0x260
vfs_write+0x1b0/0x550
SyS_write+0xc7/0x1a0
? SyS_read+0x1a0/0x1a0
? trace_hardirqs_on_thunk+0x1a/0x1c
entry_SYSCALL_64_fastpath+0x18/0x85
RIP: 0033:0x448e29
RSP: 002b:00007f033f567c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f033f5686bc RCX: 0000000000448e29
RDX: 0000000000000060 RSI: 0000000020001000 RDI: 0000000000000012
RBP: 000000000070bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000056a0 R14: 00000000006e8740 R15: 0000000000000000
================================================================================

Cc: syzkaller <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # 4.5
Fixes: 2dbd5186a3 ("IB/core: IB/core: Allow legacy verbs through extended interfaces")
Reported-by: Noa Osherovich <noaos@mellanox.com>
Reviewed-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2018-02-15 15:31:26 -07:00
..
addr.c RDMA/core: Avoid copying ifindex twice 2017-12-18 15:37:10 -07:00
agent.c IB/core: Rename ib_destroy_ah to rdma_destroy_ah 2017-05-01 14:32:43 -04:00
agent.h
cache.c {net, IB}/mlx5: Manage port association for multiport RoCE 2018-01-08 11:42:22 -07:00
cgroup.c IB/core: added support to use rdma cgroup controller 2017-01-10 11:14:27 -05:00
cm_msgs.h
cm.c RDMA/cm: Fix access to uninitialized variable 2018-01-28 14:07:16 -07:00
cma_configfs.c IB/cma: use strlcpy() instead of strncpy() 2018-01-15 15:33:21 -07:00
cma.c RDMA/cma: Use existing netif_is_bond_master function 2018-01-28 14:07:16 -07:00
core_priv.h RDMA/core: Add resource tracking for create and destroy QPs 2018-01-29 20:21:39 -07:00
cq.c RDMA/core: Add resource tracking for create and destroy CQs 2018-01-29 20:21:40 -07:00
device.c RDMA/restrack: Add general infrastructure to track RDMA resources 2018-01-29 20:21:39 -07:00
fmr_pool.c infiniband: fix core/fmr_pool.c kernel-doc notation 2018-01-10 22:00:34 -07:00
iwcm.c RDMA/netlink: Fix general protection fault 2017-12-07 15:28:07 -05:00
iwcm.h
iwpm_msg.c RDMA/iwpm: Properly mark end of NL messages 2017-09-29 11:32:42 -04:00
iwpm_util.c RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() 2017-12-13 10:55:49 -07:00
iwpm_util.h
mad_priv.h
mad_rmpp.c IB/mad: Change slid in RMPP recv from 16 to 32 bits 2017-08-08 14:47:18 -04:00
mad_rmpp.h
mad.c drivers: infiniband: remove duplicate includes 2017-12-22 09:39:35 -07:00
Makefile RDMA/restrack: Add general infrastructure to track RDMA resources 2018-01-29 20:21:39 -07:00
mr_pool.c
multicast.c IB/core: Define 'ib' and 'roce' rdma_ah_attr types 2017-05-01 14:32:43 -04:00
netlink.c RDMA/netlink: Simplify code of autoload modules 2018-01-02 13:36:57 -07:00
nldev.c RDMA/nldev: missing error code in nldev_res_get_doit() 2018-02-01 15:24:32 -07:00
opa_smi.h
packer.c
rdma_core.c IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy 2018-02-15 15:31:26 -07:00
rdma_core.h IB/core: Add new ioctl interface 2017-08-31 08:35:09 -04:00
restrack.c RDMA/restrack: Remove unimplemented XRCD object 2018-02-15 14:59:44 -07:00
roce_gid_mgmt.c {net, IB}/mlx5: Manage port association for multiport RoCE 2018-01-08 11:42:22 -07:00
rw.c IB/core: remove redundant check on prot_sg_cnt 2017-10-10 10:49:45 -04:00
sa_query.c IB/SA: Check dlid before SA agent queries for ClassPortInfo 2017-12-22 13:33:30 -07:00
sa.h
security.c Merge branch 'from-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git 2017-12-27 21:50:46 -07:00
smi.c
smi.h
sysfs.c IB/core: Fix two kernel warnings triggered by rxe registration 2018-01-03 17:26:59 -07:00
ucm.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
ucma.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
ud_header.c
umem_odp.c RDMA/umem: Avoid partial declaration of non-static function 2017-11-10 13:02:12 -05:00
umem.c IB/umem: Fix use of npages/nmap fields 2017-12-18 15:37:06 -07:00
user_mad.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
uverbs_cmd.c RDMA/core: Add resource tracking for create and destroy PDs 2018-01-29 20:21:40 -07:00
uverbs_ioctl_merge.c IB/uverbs: Fix method merging in uverbs_ioctl_merge 2018-02-15 14:59:45 -07:00
uverbs_ioctl.c IB/uverbs: Fix possible oops with duplicate ioctl attributes 2018-02-15 14:59:46 -07:00
uverbs_main.c RDMA/uverbs: Protect from command mask overflow 2018-02-15 15:31:26 -07:00
uverbs_marshall.c IB/core: Convert OPA AH to IB for Extended LIDs only 2017-11-13 15:53:57 -05:00
uverbs_std_types.c IB/uverbs: Use u64_to_user_ptr() not a union 2018-02-15 14:59:45 -07:00
uverbs.h IB/uverbs: Allow CQ moderation with modify CQ 2017-11-13 16:59:22 -05:00
verbs.c RDMA/core: Add resource tracking for create and destroy PDs 2018-01-29 20:21:40 -07:00