mana_ib_create_qp_rss() passes the user-supplied ucmd.rx_hash_key_len
directly to mana_ib_cfg_vport_steering(), which uses it as the length
argument to memcpy(req->hashkey, rx_hash_key, rx_hash_key_len).
A value greater than MANA_HASH_KEY_SIZE leads to an out-of-bounds read
from the kernel stack and an out-of-bounds write past req->hashkey
within the kzalloc'd struct mana_cfg_rx_steer_req_v2.
Reject any rx_hash_key_len greater than MANA_HASH_KEY_SIZE.
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network
Adapter")
Reported-by: Yuhao Jiang <[email protected]>
Cc: [email protected]
Signed-off-by: Junrui Luo <[email protected]>
---
drivers/infiniband/hw/mana/qp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c
index 82f84f7ad37a..f5ab545cfd74 100644
--- a/drivers/infiniband/hw/mana/qp.c
+++ b/drivers/infiniband/hw/mana/qp.c
@@ -151,6 +151,13 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp,
struct ib_pd *pd,
return -EINVAL;
}
+ if (ucmd.rx_hash_key_len > MANA_HASH_KEY_SIZE) {
+ ibdev_dbg(&mdev->ib_dev,
+ "RX Hash key length %u exceeds maximum %u\n",
+ ucmd.rx_hash_key_len, MANA_HASH_KEY_SIZE);
+ return -EINVAL;
+ }
+
/* IB ports start with 1, MANA start with 0 */
port = ucmd.port;
ndev = mana_ib_get_netdev(pd->device, port);
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260421-fixes-9402b9f92e0f
Best regards,
--
Junrui Luo <[email protected]>
