Commit 18172f07 authored by Guangguan Wang's avatar Guangguan Wang Committed by Zeng Heng
Browse files

net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg 

stable inclusion
from stable-v6.6.68
commit 295a92e3df32e72aff0f4bc25c310e349d07ffbf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJCCV
CVE: CVE-2024-49568

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=295a92e3df32e72aff0f4bc25c310e349d07ffbf



--------------------------------

[ Upstream commit 7863c9f3d24ba49dbead7e03dfbe40deb5888fdf ]

When receiving proposal msg in server, the fields v2_ext_offset/
eid_cnt/ism_gid_cnt in proposal msg are from the remote client
and can not be fully trusted. Especially the field v2_ext_offset,
once exceed the max value, there has the chance to access wrong
address, and crash may happen.

This patch checks the fields v2_ext_offset/eid_cnt/ism_gid_cnt
before using them.

Fixes: 8c3dca34 ("net/smc: build and send V2 CLC proposal")
Signed-off-by: default avatarGuangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: default avatarWen Gu <guwen@linux.alibaba.com>
Reviewed-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Conflicts:
	net/smc/smc_clc.c
[Fix context conflict.]
Signed-off-by: default avatarZeng Heng <zengheng4@huawei.com>
parent 6a2a7743

net/smc/af_smc.c

+2 −1
Original line number Diff line number Diff line
@@ -2280,7 +2280,8 @@ static void smc_find_rdma_v2_device_serv(struct smc_sock *new_smc, 
		goto not_found;



	smc_v2_ext = smc_get_clc_v2_ext(pclc);

	if (!smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))

	if (!smc_v2_ext ||

	    !smc_clc_match_eid(ini->negotiated_eid, smc_v2_ext, NULL, NULL))

		goto not_found;



	/* prepare RDMA check */

net/smc/smc_clc.c

+7 −1
Original line number Diff line number Diff line
@@ -352,7 +352,6 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc) 
	struct smc_clc_msg_hdr *hdr = &pclc->hdr;

	struct smc_clc_v2_extension *v2_ext;



	v2_ext = smc_get_clc_v2_ext(pclc);

	pclc_prfx = smc_clc_proposal_get_prefix(pclc);

	if (hdr->version == SMC_V1) {

		if (hdr->typev1 == SMC_TYPE_N)
@@ -365,6 +364,13 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc) 
			sizeof(struct smc_clc_msg_trail))

			return false;

	} else {

		v2_ext = smc_get_clc_v2_ext(pclc);

		if ((hdr->typev2 != SMC_TYPE_N &&

		     (!v2_ext || v2_ext->hdr.eid_cnt > SMC_CLC_MAX_UEID)) ||

		    (smcd_indicated(hdr->typev2) &&

		     v2_ext->hdr.ism_gid_cnt > SMCD_CLC_MAX_V2_GID_ENTRIES))

			return false;



		if (ntohs(hdr->length) !=

			sizeof(*pclc) +

			sizeof(struct smc_clc_msg_smcd) +

net/smc/smc_clc.h

+7 −1
Original line number Diff line number Diff line
@@ -366,8 +366,14 @@ static inline struct smc_clc_v2_extension * 
smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop)

{

	struct smc_clc_msg_smcd *prop_smcd = smc_get_clc_msg_smcd(prop);

	u16 max_offset;



	if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset))

	max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) -

		     offsetof(struct smc_clc_msg_proposal_area, pclc_smcd) -

		     offsetofend(struct smc_clc_msg_smcd, v2_ext_offset);



	if (!prop_smcd || !ntohs(prop_smcd->v2_ext_offset) ||

	    ntohs(prop_smcd->v2_ext_offset) > max_offset)

		return NULL;



	return (struct smc_clc_v2_extension *)