tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()

struct irdma_create_ah_resp { // 8 bytes, no padding
__u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx)
__u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK
};

rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().

The reserved members of the structure were not zeroed.

Cc: stable@vger.kernel.org
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://patch.msgid.link/3-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>

authored by

Jason Gunthorpe and committed by
Leon Romanovsky 74586c6d 117942ca

+1 -1
+1 -1
drivers/infiniband/hw/irdma/verbs.c
··· 5212 5212 #define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd) 5213 5213 struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah); 5214 5214 struct irdma_device *iwdev = to_iwdev(ibah->pd->device); 5215 - struct irdma_create_ah_resp uresp; 5215 + struct irdma_create_ah_resp uresp = {}; 5216 5216 struct irdma_ah *parent_ah; 5217 5217 int err; 5218 5218