Hi Roland,
Le lundi 05 mai 2014 à 19:35 +0200, Yann Droneaud a écrit :
> i386 ABI disagree with most other ABIs regarding alignment
> of data type larger than 4 bytes: on most ABIs a padding must
> be added at end of the structures, while it is not required on
> i386.
>
> So for most ABI struct c4iw_alloc_ucontext_resp get implicitly padded
> to be aligned on a 8 bytes multiple, while for i386, such padding
> is not added.
>
> Tool pahole could be used to find such implicit padding:
>
> $ pahole --anon_include \
> --nested_anon_include \
> --recursive \
> --class_name c4iw_alloc_ucontext_resp \
> drivers/infiniband/hw/cxgb4/iw_cxgb4.o
>
> Then, structure layout can be compared between i386 and x86_64:
>
> +++ obj-i386/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt 2014-03-28
> 11:43:05.547432195 +0100
> --- obj-x86_64/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt 2014-03-28
> 10:55:10.990133017 +0100
> @@ -2,9 +2,8 @@ struct c4iw_alloc_ucontext_resp {
> __u64 status_page_key; /* 0 8 */
> __u32 status_page_size; /* 8 4 */
>
> - /* size: 12, cachelines: 1, members: 2 */
> - /* last cacheline: 12 bytes */
> + /* size: 16, cachelines: 1, members: 2 */
> + /* padding: 4 */
> + /* last cacheline: 16 bytes */
> };
>
> This ABI disagreement will make an x86_64 kernel try to write
> past the buffer provided by an i386 binary.
>
> When boundary check will be implemented, the x86_64 kernel will
> refuse to write past the i386 userspace provided buffer
> and the uverbs will fail.
>
> If the structure lay in memory on a page boundary and next page
> is not mapped, ib_copy_to_udata() will fail and the uverb
> will fail.
>
> Additionally, as reported by Dan Carpenter, without the implicit
> padding being properly cleared, an information leak would take
> place in most architectures.
>
> This patch adds an explicit padding to struct c4iw_alloc_ucontext_resp,
> and, like 92b0ca7cb149 ('IB/mlx5: Fix stack info leak in
> mlx5_ib_alloc_ucontext()'), makes function c4iw_alloc_ucontext()
> not writting this padding field to userspace. This way, x86_64 kernel
> will be able to write struct c4iw_alloc_ucontext_resp as expected by
> unpatched and patched i386 libcxgb4.
>
> Link: http://marc.info/?i=cover.1399309513.git.ydrone...@opteya.com
> Link: http://marc.info/?i=1395848977.3297.15.camel@localhost.localdomain
> Link: http://marc.info/?i=20140328082428.GH25192@mwanda
> Fixes: 05eb23893c2c ('cxgb4/iw_cxgb4: Doorbell Drop Avoidance Bug Fixes')
> Reported-by: Yann Droneaud <ydrone...@opteya.com>
> Reported-by: Dan Carpenter <dan.carpen...@oracle.com>
> Signed-off-by: Yann Droneaud <ydrone...@opteya.com>
I believe this one should go in v3.15-rc7 as it fixes an issue
introduced in v3.15-rc1. See
http://marc.info/?i=20140328082428.GH25192@mwanda
http://marc.info/?i=20140502235616.GJ4963@mwanda
The other patchs could probably wait for v3.16-rc1 for integration in
linux-stable.
Regards.
--
Yann Droneaud
OPTEYA
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
