Description
In the Linux kernel, the following vulnerability has been resolved: net/rds: zero per-item info buffer before handing it to visitors rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote. rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max_send_wr, max_recv_wr, max_send_sge, rdma_mr_max, rdma_mr_size, cache_allocs) and the 2-byte alignment hole between sl and cache_allocs remain as whatever stack contents preceded the visitor call and are then memcpy_to_user()'d out to user space. struct rds_info_rdma_connection and struct rds6_info_rdma_connection are the only rds_info_* structs in include/uapi/linux/rds.h that are not marked __attribute__((packed)), so they have a real alignment hole. The other info visitors (rds_conn_info_visitor, rds6_conn_info_visitor, rds_tcp_tc_info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug. Reproduction on a kernel built without CONFIG_INIT_STACK_ALL_ZERO=y: a local unprivileged user opens AF_RDS, sets SO_RDS_TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds_connection in the global hash in RDS_CONN_CONNECTING), then calls getsockopt(SOL_RDS, RDS_INFO_IB_CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers: 0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max_send_wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma_mr_max) 56..59 01 00 08 00 rdma_mr_size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00 cache_allocs (garbage) Fix by zeroing the per-item buffer in both rds_for_each_conn_info() and rds_walk_conn_path_info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug. No functional change for visitors that fully populate their output. Changes in v2: - retarget at the net tree (subject prefix "[PATCH net v2]", net/rds: prefix in the title) - pick up Reviewed-by tags from Sharath Srinivasan and Allison Henderson
Product status
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before 81651e9d7dea1c048d2952f57632a042931d7b43
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before 0797b2e6901827694aa9c34c4c72118c8c97fba1
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before 5e67cc262afb384e835c3327e9d954eeaedc6a87
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before b6ba93a7b71ed443c9843eb12d27ed86f1e52694
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before c7cb9eed8215a790f052f49cdccf577720d2bb62
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before 91ce1bb6e4194dc2321748f68145359dcf86e350
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before 912ba2e5704fdb8bc5decda96dfc1a57838f0099
ec16227e14141e4fd7ae76354c09dadfe2449d9e (git) before c88eb7e8d8397a8c1db59c425332c5a30b2a1682
2.6.30
Any version before 2.6.30
5.10.258 (semver)
5.15.209 (semver)
6.1.175 (semver)
6.6.141 (semver)
6.12.91 (semver)
6.18.33 (semver)
7.0.10 (semver)
7.1 (original_commit_for_fix)
References
git.kernel.org/...c/81651e9d7dea1c048d2952f57632a042931d7b43
git.kernel.org/...c/0797b2e6901827694aa9c34c4c72118c8c97fba1
git.kernel.org/...c/5e67cc262afb384e835c3327e9d954eeaedc6a87
git.kernel.org/...c/b6ba93a7b71ed443c9843eb12d27ed86f1e52694
git.kernel.org/...c/c7cb9eed8215a790f052f49cdccf577720d2bb62
git.kernel.org/...c/91ce1bb6e4194dc2321748f68145359dcf86e350
git.kernel.org/...c/912ba2e5704fdb8bc5decda96dfc1a57838f0099
git.kernel.org/...c/c88eb7e8d8397a8c1db59c425332c5a30b2a1682