[PATCH 5.4 084/178] RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532

From: Sasha Levin
Date: Mon Jun 29 2020 - 15:48:44 EST

Next message: Sasha Levin: "[PATCH 5.4 083/178] RDMA/rvt: Fix potential memory leak caused by rvt_alloc_rq"
Previous message: Sasha Levin: "[PATCH 5.4 023/178] ip_tunnel: fix use-after-free in ip_tunnel_lookup()"
In reply to: Sasha Levin: "[PATCH 5.4 023/178] ip_tunnel: fix use-after-free in ip_tunnel_lookup()"
Next in thread: Sasha Levin: "[PATCH 5.4 083/178] RDMA/rvt: Fix potential memory leak caused by rvt_alloc_rq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michal Kalderon <michal.kalderon@xxxxxxxxxxx>

[ Upstream commit 0dfbd5ecf28cbcb81674c49d34ee97366db1be44 ]

Private data passed to iwarp_cm_handler is copied for connection request /
response, but ignored otherwise. If junk is passed, it is stored in the
event and used later in the event processing.

The driver passes an old junk pointer during connection close which leads
to a use-after-free on event processing. Set private data to NULL for
events that don 't have private data.

BUG: KASAN: use-after-free in ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: Read of size 4 at addr ffff8886caa71200 by task kworker/u128:1/5250
kernel:
kernel: Workqueue: iw_cm_wq cm_work_handler [iw_cm]
kernel: Call Trace:
kernel: dump_stack+0x8c/0xc0
kernel: print_address_description.constprop.0+0x1b/0x210
kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: __kasan_report.cold+0x1a/0x33
kernel: ? ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: kasan_report+0xe/0x20
kernel: check_memory_region+0x130/0x1a0
kernel: memcpy+0x20/0x50
kernel: ucma_event_handler+0x532/0x560 [rdma_ucm]
kernel: ? __rpc_execute+0x608/0x620 [sunrpc]
kernel: cma_iw_handler+0x212/0x330 [rdma_cm]
kernel: ? iw_conn_req_handler+0x6e0/0x6e0 [rdma_cm]
kernel: ? enqueue_timer+0x86/0x140
kernel: ? _raw_write_lock_irq+0xd0/0xd0
kernel: cm_work_handler+0xd3d/0x1070 [iw_cm]

Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions")
Link: https://lore.kernel.org/r/20200616093408.17827-1-michal.kalderon@xxxxxxxxxxx
Signed-off-by: Ariel Elior <ariel.elior@xxxxxxxxxxx>
Signed-off-by: Michal Kalderon <michal.kalderon@xxxxxxxxxxx>
Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/infiniband/hw/qedr/qedr_iw_cm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
index 5e9732990be5c..a7a926b7b5628 100644
--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
@@ -150,8 +150,17 @@ qedr_iw_issue_event(void *context,
if (params->cm_info) {
event.ird = params->cm_info->ird;
event.ord = params->cm_info->ord;
- event.private_data_len = params->cm_info->private_data_len;
- event.private_data = (void *)params->cm_info->private_data;
+ /* Only connect_request and reply have valid private data
+ * the rest of the events this may be left overs from
+ * connection establishment. CONNECT_REQUEST is issued via
+ * qedr_iw_mpa_request
+ */
+ if (event_type == IW_CM_EVENT_CONNECT_REPLY) {
+ event.private_data_len =
+ params->cm_info->private_data_len;
+ event.private_data =
+ (void *)params->cm_info->private_data;
+ }
}

if (ep->cm_id)
--
2.25.1

Next message: Sasha Levin: "[PATCH 5.4 083/178] RDMA/rvt: Fix potential memory leak caused by rvt_alloc_rq"
Previous message: Sasha Levin: "[PATCH 5.4 023/178] ip_tunnel: fix use-after-free in ip_tunnel_lookup()"
In reply to: Sasha Levin: "[PATCH 5.4 023/178] ip_tunnel: fix use-after-free in ip_tunnel_lookup()"
Next in thread: Sasha Levin: "[PATCH 5.4 083/178] RDMA/rvt: Fix potential memory leak caused by rvt_alloc_rq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]