[PATCH 4.9 10/70] IB/rxe: do not copy extra stack memory to skb

Mon, 17 Sep 2018 15:58:38 -0700 

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keesc...@chromium.org>

commit 4c93496f18ce5044d78e4f7f9e018682a4f44b3d upstream.

This fixes a over-read condition detected by FORTIFY_SOURCE for this
line:

        memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(skb->cb));

The error was:

  In file included from ./include/linux/bitmap.h:8:0,
                   from ./include/linux/cpumask.h:11,
                   from ./include/linux/mm_types_task.h:13,
                   from ./include/linux/mm_types.h:4,
                   from ./include/linux/kmemcheck.h:4,
                   from ./include/linux/skbuff.h:18,
                   from drivers/infiniband/sw/rxe/rxe_resp.c:34:
  In function 'memcpy',
      inlined from 'send_atomic_ack.constprop' at 
drivers/infiniband/sw/rxe/rxe_resp.c:998:2,
      inlined from 'acknowledge' at drivers/infiniband/sw/rxe/rxe_resp.c:1026:3,
      inlined from 'rxe_responder' at 
drivers/infiniband/sw/rxe/rxe_resp.c:1286:10:
  ./include/linux/string.h:309:4: error: call to '__read_overflow2' declared 
with attribute error: detected read beyond size of object passed as 2nd 
parameter
      __read_overflow2();

Daniel Micay noted that struct rxe_pkt_info is 32 bytes on 32-bit
architectures, but skb->cb is still 64.  The memcpy() over-reads 32
bytes.  This fixes it by zeroing the unused bytes in skb->cb.

Link: 
http://lkml.kernel.org/r/1497903987-21002-5-git-send-email-keesc...@chromium.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Moni Shoua <mo...@mellanox.com>
Cc: Doug Ledford <dledf...@redhat.com>
Cc: Sean Hefty <sean.he...@intel.com>
Cc: Daniel Micay <danielmi...@gmail.com>
Signed-off-by: Andrew Morton <a...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
Signed-off-by: Amit Pundir <amit.pun...@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/infiniband/sw/rxe/rxe_resp.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/sw/rxe/rxe_resp.c
+++ b/drivers/infiniband/sw/rxe/rxe_resp.c
@@ -978,7 +978,9 @@ static int send_atomic_ack(struct rxe_qp
        free_rd_atomic_resource(qp, res);
        rxe_advance_resp_resource(qp);
 
-       memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(skb->cb));
+       memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(ack_pkt));
+       memset((unsigned char *)SKB_TO_PKT(skb) + sizeof(ack_pkt), 0,
+              sizeof(skb->cb) - sizeof(ack_pkt));
 
        res->type = RXE_ATOMIC_MASK;
        res->atomic.skb = skb;

Reply via email to