diff options
| author | Yann Droneaud <ydroneaud@opteya.com> | 2013-12-11 17:01:49 -0500 |
|---|---|---|
| committer | Roland Dreier <roland@purestorage.com> | 2013-12-20 13:54:32 -0500 |
| commit | c780d82a74cdf247a81f877ecae569b3a248f89b (patch) | |
| tree | 09d416e757e1f4d844618cc0f8ac71534eb01b38 | |
| parent | 2782c2d302557403e314a43856f681a5385e62c6 (diff) | |
IB/uverbs: Check reserved fields in create_flow
As noted by Daniel Vetter in its article "Botching up ioctls"[1]
"Check *all* unused fields and flags and all the padding for whether
it's 0, and reject the ioctl if that's not the case. Otherwise
your nice plan for future extensions is going right down the
gutters since someone *will* submit an ioctl struct with random
stack garbage in the yet unused parts. Which then bakes in the ABI
that those fields can never be used for anything else but garbage."
It's important to ensure that reserved fields are set to known value,
so that it will be possible to use them latter to extend the ABI.
The same reasonning apply to comp_mask field present in newer uverbs
command: per commit 22878dbc9173 ("IB/core: Better checking of
userspace values for receive flow steering"), unsupported values in
comp_mask are rejected.
[1] http://blog.ffwll.ch/2013/11/botching-up-ioctls.html
Link: http://marc.info/?i=cover.1386798254.git.ydroneaud@opteya.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
| -rw-r--r-- | drivers/infiniband/core/uverbs_cmd.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index f0ee6b92132a..4e8b15c50481 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c | |||
| @@ -2593,6 +2593,9 @@ out_put: | |||
| 2593 | static int kern_spec_to_ib_spec(struct ib_uverbs_flow_spec *kern_spec, | 2593 | static int kern_spec_to_ib_spec(struct ib_uverbs_flow_spec *kern_spec, |
| 2594 | union ib_flow_spec *ib_spec) | 2594 | union ib_flow_spec *ib_spec) |
| 2595 | { | 2595 | { |
| 2596 | if (kern_spec->reserved) | ||
| 2597 | return -EINVAL; | ||
| 2598 | |||
| 2596 | ib_spec->type = kern_spec->type; | 2599 | ib_spec->type = kern_spec->type; |
| 2597 | 2600 | ||
| 2598 | switch (ib_spec->type) { | 2601 | switch (ib_spec->type) { |
| @@ -2671,6 +2674,10 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file, | |||
| 2671 | (cmd.flow_attr.num_of_specs * sizeof(struct ib_uverbs_flow_spec))) | 2674 | (cmd.flow_attr.num_of_specs * sizeof(struct ib_uverbs_flow_spec))) |
| 2672 | return -EINVAL; | 2675 | return -EINVAL; |
| 2673 | 2676 | ||
| 2677 | if (cmd.flow_attr.reserved[0] || | ||
| 2678 | cmd.flow_attr.reserved[1]) | ||
| 2679 | return -EINVAL; | ||
| 2680 | |||
| 2674 | if (cmd.flow_attr.num_of_specs) { | 2681 | if (cmd.flow_attr.num_of_specs) { |
| 2675 | kern_flow_attr = kmalloc(sizeof(*kern_flow_attr) + cmd.flow_attr.size, | 2682 | kern_flow_attr = kmalloc(sizeof(*kern_flow_attr) + cmd.flow_attr.size, |
| 2676 | GFP_KERNEL); | 2683 | GFP_KERNEL); |