Hi, Please find a few patches against branch for-next of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband.git, current head 3e7645800a89f2adccb8d635d36f2fb648048141.
This is a collection of patches to add more checks on userspace provided input parameters to cm, cma and verbs subsystem: The InfiniBand/RDMA subsystems are not currently making enough checks on user input data. In particular: - they should not read past the input buffer, - they should not write past the output buffer. Each of these userspace APIs should use the user provided lengths for buffers and don't read/write out of those boundaries. I hope the proposed fixes being straightforward and not disruptive. I've made some tests, but I cannot test every code path without a proper test suite and the matching infrastructure. I've tested on a small InfiniBand fabric, with a 8 ports switch, one node with 2 HCAs (1 port, 2 ports), a second node with 1 HCA (1 port), each port connected to the switch. I've also tested with two node connected back to back. I've searched for regression using the following programs: ibaddr ibstat ibstatus ibportstate <lid> query ibroute <lid> ibswitches sminfo smpquery portinfo <lid> smpquery nodeinfo <lid> saquery ibv_devices ibv_devinfo rdma_client/rdma_server rdma_xclient/rdma_xserver ibv_rc_pingpong ib_{read,write}_{bw,lat} I've tested only with Fedora 19 using: libipathverbs 1.2, libmlx4 1.0.5, libibverbs 1.1.17, librdmacm 1.0.17, libibmad 1.3.9, libibumad 1.3.8, opensm 3.3.15, infiniband-diags 1.6.1. Testing with older/other libraries/tools could be interesting. Please have a good review. I'm ready to anwser questions and update the patchset. Regards. Yann Droneaud (22): infiniband: ib_copy_{from,to}_udata(): const'ify arguments infiniband: ib_udata: const'ify inbuf infiniband: ib_copy_from_udata(): check input length infiniband: ib_copy_to_udata(): check output length ucm: ib_ucm_event(): returns ENOSPC instead of ENOMEM ucm: changes ib_ucm_alloc_data() src arg to be a pointer ucm: changes ib_ucm_path_get() src arg to be a pointer ucm: check userspace input length ucm: use size_t for userspace buffer input and output length ucm: ib_ucm_write(): check userspace buffer length first ucm: ib_ucm_write(): strict userspace buffer length check ucma: check userspace input length ucma: ucma_migrate_id(): check output length ucma: ucma_query_path(): check output length ucma: use size_t for userspace buffer input and output length ucma: ucma_write(): check userspace buffer length first ucma: ucma_write(): strict userspace buffer length check uverbs: check input length uverbs: check output length uverbs: ib_uverbs_poll_cq(): check output length against number of wc uverbs: fix call to INIT_UDATA with no output buffer uverbs: use size_t for userspace buffer input and output length drivers/infiniband/core/ucm.c | 156 ++++++++++++++------ drivers/infiniband/core/ucma.c | 131 +++++++++++++---- drivers/infiniband/core/uverbs.h | 4 +- drivers/infiniband/core/uverbs_cmd.c | 258 +++++++++++++++++++++++++--------- drivers/infiniband/core/uverbs_main.c | 4 +- include/rdma/ib_verbs.h | 12 +- 6 files changed, 422 insertions(+), 143 deletions(-) -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html