> > Sashiko points out that rx_hash_key_len comes from a uAPI structure and is > blindly passed to memcpy, allowing the userspace to trash kernel memory. > Bounds check it so the memcpy cannot overflow. > > Cc: [email protected] > Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure > Network Adapter") > Link: > https://sashiko.d/ > ev%2F%23%2Fpatchset%2F0-v2-1c49eeb88c48%252B91- > rdma_udata_rep_jgg%2540nvidia.com%3Fpart%3D1&data=05%7C02%7Clongli% > 40microsoft.com%7C12e76b7833a74fb98a8208dea541b8cd%7C72f988bf86f141 > af91ab2d7cd011db47%7C1%7C0%7C639129898875053924%7CUnknown%7CT > WFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4 > zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=75tKj32YfU > uN7KdnsW63AjlwgnSLt2KXz34EUbXp2wI%3D&reserved=0 > Signed-off-by: Jason Gunthorpe <[email protected]>
Reviewed-by: Long Li <[email protected]> > --- > drivers/infiniband/hw/mana/qp.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c > index 645581359cee0b..f7bb0d1f0f8034 100644 > --- a/drivers/infiniband/hw/mana/qp.c > +++ b/drivers/infiniband/hw/mana/qp.c > @@ -21,6 +21,9 @@ static int mana_ib_cfg_vport_steering(struct mana_ib_dev > *dev, > > gc = mdev_to_gc(dev); > > + if (rx_hash_key_len > sizeof(req->hashkey)) > + return -EINVAL; > + > req_buf_size = struct_size(req, indir_tab, > MANA_INDIRECT_TABLE_DEF_SIZE); > req = kzalloc(req_buf_size, GFP_KERNEL); > if (!req) > -- > 2.43.0
