linux/drivers/infiniband/hw/cxgb4
Yann Droneaud b7dfa8895f RDMA/cxgb4: add missing padding at end of struct c4iw_alloc_ucontext_resp
The i386 ABI disagrees with most other ABIs regarding alignment of
data types larger than 4 bytes: on most ABIs a padding must be added
at end of the structures, while it is not required on i386.

So for most ABI struct c4iw_alloc_ucontext_resp gets implicitly padded
to be aligned on a 8 bytes multiple, while for i386, such padding is
not added.

The tool pahole can be used to find such implicit padding:

  $ pahole --anon_include \
           --nested_anon_include \
           --recursive \
           --class_name c4iw_alloc_ucontext_resp \
           drivers/infiniband/hw/cxgb4/iw_cxgb4.o

Then, structure layout can be compared between i386 and x86_64:

  +++ obj-i386/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt   2014-03-28 11:43:05.547432195 +0100
  --- obj-x86_64/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt 2014-03-28 10:55:10.990133017 +0100
  @@ -2,9 +2,8 @@ struct c4iw_alloc_ucontext_resp {
          __u64                      status_page_key;      /*     0     8 */
          __u32                      status_page_size;     /*     8     4 */

  -       /* size: 12, cachelines: 1, members: 2 */
  -       /* last cacheline: 12 bytes */
  +       /* size: 16, cachelines: 1, members: 2 */
  +       /* padding: 4 */
  +       /* last cacheline: 16 bytes */
   };

This ABI disagreement will make an x86_64 kernel try to write past the
buffer provided by an i386 binary.

When boundary check will be implemented, the x86_64 kernel will refuse
to write past the i386 userspace provided buffer and the uverbs will
fail.

If the structure is on a page boundary and the next page is not
mapped, ib_copy_to_udata() will fail and the uverb will fail.

Additionally, as reported by Dan Carpenter, without the implicit
padding being properly cleared, an information leak would take place
in most architectures.

This patch adds an explicit padding to struct c4iw_alloc_ucontext_resp,
and, like 92b0ca7cb1 ("IB/mlx5: Fix stack info leak in
mlx5_ib_alloc_ucontext()"), makes function c4iw_alloc_ucontext()
not writting this padding field to userspace. This way, x86_64 kernel
will be able to write struct c4iw_alloc_ucontext_resp as expected by
unpatched and patched i386 libcxgb4.

Link: http://marc.info/?i=cover.1399309513.git.ydroneaud@opteya.com
Link: http://marc.info/?i=1395848977.3297.15.camel@localhost.localdomain
Link: http://marc.info/?i=20140328082428.GH25192@mwanda
Cc: <stable@vger.kernel.org>
Fixes: 05eb23893c ("cxgb4/iw_cxgb4: Doorbell Drop Avoidance Bug Fixes")
Reported-by: Yann Droneaud <ydroneaud@opteya.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
2014-06-05 09:13:54 -07:00
..
cm.c RDMA/cxgb4: Fix vlan support 2014-05-19 18:00:32 -07:00
cq.c RDMA/cxgb4: Add missing padding at end of struct c4iw_create_cq_resp 2014-05-29 21:44:57 -07:00
device.c RDMA/cxgb4: Fix memory leaks in c4iw_alloc() error paths 2014-05-19 17:55:43 -07:00
ev.c RDMA/cxgb4: Handle newer firmware changes 2013-08-13 11:55:44 -07:00
id_table.c drivers/infiniband/hw: rename random32() to prandom_u32() 2013-05-07 18:38:27 -07:00
iw_cxgb4.h RDMA/cxgb4: Fix endpoint mutex deadlocks 2014-04-28 17:29:41 -07:00
Kconfig RDMA/cxgb4: Update Kconfig to include Chelsio T5 adapter 2014-04-28 17:29:41 -07:00
Makefile RDMA/cxgb4: Remove kfifo usage 2012-05-18 13:22:36 -07:00
mem.c RDMA/cxgb4: Add missing debug stats 2014-04-11 11:36:09 -07:00
provider.c RDMA/cxgb4: add missing padding at end of struct c4iw_alloc_ucontext_resp 2014-06-05 09:13:54 -07:00
qp.c RDMA/cxgb4: Only allow kernel db ringing for T4 devs 2014-04-28 17:29:41 -07:00
resource.c RDMA/cxgb4: Add missing debug stats 2014-04-11 11:36:09 -07:00
t4.h RDMA/cxgb4: Max fastreg depth depends on DSGL support 2014-04-11 11:36:08 -07:00
t4fw_ri_api.h RDMA/cxgb4: Force T5 connections to use TAHOE congestion control 2014-04-28 17:29:41 -07:00
user.h RDMA/cxgb4: add missing padding at end of struct c4iw_alloc_ucontext_resp 2014-06-05 09:13:54 -07:00