Hi,
Please find a few patches against branch for-next of
git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband.git,
current head 3e7645800a89f2adccb8d635d36f2fb648048141.
This is a collection of patches to add more checks on userspace provided
input parameters to cm, cma and verbs subsystem:
The InfiniBand/RDMA subsystems are not currently making enough checks on
user input data. In particular:
- they should not read past the input buffer,
- they should not write past the output buffer.
Each of these userspace APIs should use the user provided lengths
for buffers and don't read/write out of those boundaries.
I hope the proposed fixes being straightforward and not disruptive.
I've made some tests, but I cannot test every code path without a proper
test suite and the matching infrastructure.
I've tested on a small InfiniBand fabric, with a 8 ports switch,
one node with 2 HCAs (1 port, 2 ports), a second node with 1 HCA (1 port),
each port connected to the switch. I've also tested with two node connected
back to back.
I've searched for regression using the following programs:
ibaddr
ibstat
ibstatus
ibportstate <lid> query
ibroute <lid>
ibswitches
sminfo
smpquery portinfo <lid>
smpquery nodeinfo <lid>
saquery
ibv_devices
ibv_devinfo
rdma_client/rdma_server
rdma_xclient/rdma_xserver
ibv_rc_pingpong
ib_{read,write}_{bw,lat}
I've tested only with Fedora 19 using:
libipathverbs 1.2,
libmlx4 1.0.5,
libibverbs 1.1.17,
librdmacm 1.0.17,
libibmad 1.3.9,
libibumad 1.3.8,
opensm 3.3.15,
infiniband-diags 1.6.1.
Testing with older/other libraries/tools could be interesting.
Please have a good review. I'm ready to anwser questions and update the
patchset.
Regards.
Yann Droneaud (22):
infiniband: ib_copy_{from,to}_udata(): const'ify arguments
infiniband: ib_udata: const'ify inbuf
infiniband: ib_copy_from_udata(): check input length
infiniband: ib_copy_to_udata(): check output length
ucm: ib_ucm_event(): returns ENOSPC instead of ENOMEM
ucm: changes ib_ucm_alloc_data() src arg to be a pointer
ucm: changes ib_ucm_path_get() src arg to be a pointer
ucm: check userspace input length
ucm: use size_t for userspace buffer input and output length
ucm: ib_ucm_write(): check userspace buffer length first
ucm: ib_ucm_write(): strict userspace buffer length check
ucma: check userspace input length
ucma: ucma_migrate_id(): check output length
ucma: ucma_query_path(): check output length
ucma: use size_t for userspace buffer input and output length
ucma: ucma_write(): check userspace buffer length first
ucma: ucma_write(): strict userspace buffer length check
uverbs: check input length
uverbs: check output length
uverbs: ib_uverbs_poll_cq(): check output length against number of wc
uverbs: fix call to INIT_UDATA with no output buffer
uverbs: use size_t for userspace buffer input and output length
drivers/infiniband/core/ucm.c | 156 ++++++++++++++------
drivers/infiniband/core/ucma.c | 131 +++++++++++++----
drivers/infiniband/core/uverbs.h | 4 +-
drivers/infiniband/core/uverbs_cmd.c | 258 +++++++++++++++++++++++++---------
drivers/infiniband/core/uverbs_main.c | 4 +-
include/rdma/ib_verbs.h | 12 +-
6 files changed, 422 insertions(+), 143 deletions(-)
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
