proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2025-11-15 05:06:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e40f74c535
mirror_ubuntu-kernels/net/rds
History
Sabyrzhan Tasbolatov a11148e6fc net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS 
syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
control message is passed with user-controlled
0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.

The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
is the closest limit, with 0x10 leftover.

Same condition is currently done in rds_cmsg_rdma_args().

[1] WARNING: mm/page_alloc.c:5011
[..]
Call Trace:
 alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
 alloc_pages include/linux/gfp.h:547 [inline]
 kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
 kmalloc_array include/linux/slab.h:592 [inline]
 kcalloc include/linux/slab.h:621 [inline]
 rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
 rds_rm_size net/rds/send.c:928 [inline]

Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Link: https://lore.kernel.org/r/20210201203233.1324704-1-snovitoll@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-02-02 08:44:08 -08:00
..
af_rds.c net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
bind.c net/rds: Check laddr_check before calling it 2019-09-27 12:10:55 +02:00
cong.c net: rds: delete duplicated words 2020-09-18 14:12:43 -07:00
connection.c rds: If one path needs re-connection, check all and re-connect 2020-07-01 17:35:17 -07:00
ib_cm.c rds: stop using dmapool 2020-11-17 15:22:06 -04:00
ib_frmr.c RDMA/rds: Remove FMR support for memory registration 2020-06-02 20:32:53 -03:00
ib_mr.h RDMA/rds: Remove FMR support for memory registration 2020-06-02 20:32:53 -03:00
ib_rdma.c RDMA/rds: Remove FMR support for memory registration 2020-06-02 20:32:53 -03:00
ib_recv.c rds: stop using dmapool 2020-11-17 15:22:06 -04:00
ib_ring.c
ib_send.c rds: stop using dmapool 2020-11-17 15:22:06 -04:00
ib_stats.c net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' 2019-09-15 20:56:19 +02:00
ib_sysctl.c
ib.c rds: stop using dmapool 2020-11-17 15:22:06 -04:00
ib.h rds: stop using dmapool 2020-11-17 15:22:06 -04:00
info.c rds: fix crash in rds_info_getsockopt() 2020-05-20 14:08:06 -07:00
info.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
loop.c rds: Changing IP address internal representation to struct in6_addr 2018-07-23 21:17:44 -07:00
loop.h rds: clean up loopback rds_connections on netns deletion 2018-06-27 10:11:03 +09:00
Makefile RDMA/rds: Remove FMR support for memory registration 2020-06-02 20:32:53 -03:00
message.c net/rds: Use ERR_PTR for rds_message_alloc_sgs() 2020-04-15 12:33:29 -07:00
page.c rds: remove dead code 2016-12-26 21:35:39 -05:00
rdma_transport.c net: rds: add service level support in rds-info 2019-08-24 16:55:25 -07:00
rdma_transport.h net: rds: rdma_transport.h: delete duplicated word 2020-07-19 18:14:51 -07:00
rdma.c net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS 2021-02-02 08:44:08 -08:00
rds_single_path.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rds.h net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
recv.c rds: Prevent kernel-infoleak in rds_notify_queue_get() 2020-07-31 16:52:48 -07:00
send.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
stats.c rds: check for excessive looping in rds_send_xmit 2019-08-15 12:04:24 -07:00
sysctl.c net: rds: fix coding style issues 2016-06-18 21:34:09 -07:00
tcp_connect.c net: add sock_no_linger 2020-05-28 11:11:44 -07:00
tcp_listen.c tcp: add tcp_sock_set_keepcnt 2020-05-28 11:11:45 -07:00
tcp_recv.c rds: Changing IP address internal representation to struct in6_addr 2018-07-23 21:17:44 -07:00
tcp_send.c tcp: add tcp_sock_set_cork 2020-05-28 11:11:45 -07:00
tcp_stats.c
tcp.c tcp: add tcp_sock_set_nodelay 2020-05-28 11:11:45 -07:00
tcp.h tcp: add tcp_sock_set_keepcnt 2020-05-28 11:11:45 -07:00
threads.c rds: make v3.1 as compat version 2019-02-04 14:59:11 -08:00
transport.c rds: transport module should be auto loaded when transport is set 2020-06-25 16:26:25 -07:00