From patchwork Tue Aug 28 20:13:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 145363 Delivered-To: patch@linaro.org Received: by 2002:a2e:1648:0:0:0:0:0 with SMTP id 8-v6csp1589273ljw; Tue, 28 Aug 2018 13:13:53 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYczr/PT2+mzZ2+bnBJeVmUsyIhCpdBezOeaT5EBFwuL0rCH7g1GxKi6aAh7hyEiQ5DAdZV X-Received: by 2002:a17:902:c7:: with SMTP id a65-v6mr2966170pla.208.1535487233680; Tue, 28 Aug 2018 13:13:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535487233; cv=none; d=google.com; s=arc-20160816; b=TnVvD8+g5DFnrJl4QQsYokkbZeLSi4cIGjuscLu5SBaSSk265PHaWCcDD9mBY4rk9y xXnJwsQOjXqjyYk0bz9sDluyyUbolTMoOoTS/4qbh06jZwrlK6H03/VGs6gGw4Puyvua 5Br+wyHcrr2IjhPOvHfVXh0fNEybVyPakn1ASKOW+IK6mEW2VDYo5rEtAAvwMQqKpPGs ax/uG5QyKQYGuSvNlOYTibFXi0yvIL13SumzpCXiFUmQ4Zh53ejx9QU+Obz1GXFuYL4d h7NXjepBU17rKd4r5tHfvKvZHhvpJMMYAre0oaMfGkDzLa12FIaIVXxp96sMb/BaT+nw vrkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=hToHjQhxx57Un6iIdORQSqGREQp5tZKVO/POgiXPljM=; b=zMYssOcvcu+twWXiXpq2rUUruYzGrUy/b+o3rpQn2f3OCbp9FVqfL3t8UVE8KyMMdF ONIKkXTVvSqAdDS5GU355qekp1in4eVXjojl7UjhahANhZ4d0DAllLSSD/tY5Sxb4KFr tWsD9u0w+7TZNy7WKsWHNBbutJmy5g3tKbP/mzCFx/MBi1LmJswJLYs1esV7BJfzqymm ZrbvMV+8LuGraRtqGyj95XK96QgJOS767idMuJzufcAPuiIZJnglyDl/M9iKEUswmr+T 6eIPnSYl/wGWoy0oZOyvmgfRIpH38Gc5hZeE+FYN6Axut7iqHcJFVZqgQ9eRFalnIN+R +MRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Z/mMou/9"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y10-v6si1906969pgf.312.2018.08.28.13.13.53; Tue, 28 Aug 2018 13:13:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="Z/mMou/9"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727146AbeH2AHH (ORCPT + 13 others); Tue, 28 Aug 2018 20:07:07 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:33544 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726961AbeH2AHG (ORCPT ); Tue, 28 Aug 2018 20:07:06 -0400 Received: by mail-pl1-f193.google.com with SMTP id 60-v6so1216969ple.0 for ; Tue, 28 Aug 2018 13:13:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=hToHjQhxx57Un6iIdORQSqGREQp5tZKVO/POgiXPljM=; b=Z/mMou/97vZvgZspP36Tn5Zr2ZXD8xjvnePHMhNnFfEA0xRHEqardXT+dJEPQ1mc+N e2DzNQUEZYLk2mxOcZaE7YAhE2feWyk/gP0yhh3U+4MvBVH3FaC4QHobg7VhpNmaTMER xm5HkU6+2rE23Sl2NjEs8g/aD63W0fE2CRqRA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=hToHjQhxx57Un6iIdORQSqGREQp5tZKVO/POgiXPljM=; b=jP0a+IsjfwPEYZeh2JVu7FBWZA4uTFiJSeWH3TB19EP9blu/LS4Cq4vEGEgKPmlVNi eiV7ewv/sVruPZF/bg0fw12GWcG1HfxpS30ZwCBBIevWKpPl5wr/Z/AI2ry9QwlHZxdh Gstw6fj3ISnyED2lrC3DcozOWuO6JeV9qqeoQ+VLzStruiEWyGvpJVr4ofKhZjlmeDhN x8UREv36g1aoXZbpFeq/HXTwhgAbU5dmerR4RBnZqucIOJEnDvZs8Hcynh+T0UI/moXG 9r2Mn2lZdCr/6swofzCZriTLoMtbG/T6sGlhQhb44AQgls4c+5yLEo1x/r8A4k3AMPNW 1h3A== X-Gm-Message-State: APzg51CyjEnMrB3cfu83bmaFdz04Ih2WCzeCnupSnmgS+1YkfUZEcypd W4Q5HVYrRViDL8rorXCXjwC2WQ== X-Received: by 2002:a17:902:6681:: with SMTP id e1-v6mr2926321plk.109.1535487232280; Tue, 28 Aug 2018 13:13:52 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id t86-v6sm3098181pfe.109.2018.08.28.13.13.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 28 Aug 2018 13:13:51 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Kees Cook , Moni Shoua , Doug Ledford , Sean Hefty , Daniel Micay , Andrew Morton , Linus Torvalds Subject: [PATCH for-4.9.y 07/14] IB/rxe: do not copy extra stack memory to skb Date: Wed, 29 Aug 2018 01:43:18 +0530 Message-Id: <1535487205-26280-8-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535487205-26280-1-git-send-email-amit.pundir@linaro.org> References: <1535487205-26280-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Kees Cook commit 4c93496f18ce5044d78e4f7f9e018682a4f44b3d upstream. This fixes a over-read condition detected by FORTIFY_SOURCE for this line: memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(skb->cb)); The error was: In file included from ./include/linux/bitmap.h:8:0, from ./include/linux/cpumask.h:11, from ./include/linux/mm_types_task.h:13, from ./include/linux/mm_types.h:4, from ./include/linux/kmemcheck.h:4, from ./include/linux/skbuff.h:18, from drivers/infiniband/sw/rxe/rxe_resp.c:34: In function 'memcpy', inlined from 'send_atomic_ack.constprop' at drivers/infiniband/sw/rxe/rxe_resp.c:998:2, inlined from 'acknowledge' at drivers/infiniband/sw/rxe/rxe_resp.c:1026:3, inlined from 'rxe_responder' at drivers/infiniband/sw/rxe/rxe_resp.c:1286:10: ./include/linux/string.h:309:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter __read_overflow2(); Daniel Micay noted that struct rxe_pkt_info is 32 bytes on 32-bit architectures, but skb->cb is still 64. The memcpy() over-reads 32 bytes. This fixes it by zeroing the unused bytes in skb->cb. Link: http://lkml.kernel.org/r/1497903987-21002-5-git-send-email-keescook@chromium.org Signed-off-by: Kees Cook Cc: Moni Shoua Cc: Doug Ledford Cc: Sean Hefty Cc: Daniel Micay Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Amit Pundir --- drivers/infiniband/sw/rxe/rxe_resp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.7.4 diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c index 0d25dc84d294..2152c71a99d3 100644 --- a/drivers/infiniband/sw/rxe/rxe_resp.c +++ b/drivers/infiniband/sw/rxe/rxe_resp.c @@ -978,7 +978,9 @@ static int send_atomic_ack(struct rxe_qp *qp, struct rxe_pkt_info *pkt, free_rd_atomic_resource(qp, res); rxe_advance_resp_resource(qp); - memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(skb->cb)); + memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(ack_pkt)); + memset((unsigned char *)SKB_TO_PKT(skb) + sizeof(ack_pkt), 0, + sizeof(skb->cb) - sizeof(ack_pkt)); res->type = RXE_ATOMIC_MASK; res->atomic.skb = skb;