• Kees Cook's avatar
    IB/rxe: do not copy extra stack memory to skb · 4c93496f
    Kees Cook authored
    This fixes a over-read condition detected by FORTIFY_SOURCE for this
    line:
    
    	memcpy(SKB_TO_PKT(skb), &ack_pkt, sizeof(skb->cb));
    
    The error was:
    
      In file included from ./include/linux/bitmap.h:8:0,
                       from ./include/linux/cpumask.h:11,
                       from ./include/linux/mm_types_task.h:13,
                       from ./include/linux/mm_types.h:4,
                       from ./include/linux/kmemcheck.h:4,
                       from ./include/linux/skbuff.h:18,
                       from drivers/infiniband/sw/rxe/rxe_resp.c:34:
      In function 'memcpy',
          inlined from 'send_atomic_ack.constprop' at drivers/infiniband/sw/rxe/rxe_resp.c:998:2,
          inlined from 'acknowledge' at drivers/infiniband/sw/rxe/rxe_resp.c:1026:3,
          inlined from 'rxe_responder' at drivers/infiniband/sw/rxe/rxe_resp.c:1286:10:
      ./include/linux/string.h:309:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
          __read_overflow2();
    
    Daniel Micay noted that struct rxe_pkt_info is 32 bytes on 32-bit
    architectures, but skb->cb is still 64.  The memcpy() over-reads 32
    bytes.  This fixes it by zeroing the unused bytes in skb->cb.
    
    Link: http://lkml.kernel.org/r/1497903987-21002-5-git-send-email-keescook@chromium.orgSigned-off-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Moni Shoua <monis@mellanox.com>
    Cc: Doug Ledford <dledford@redhat.com>
    Cc: Sean Hefty <sean.hefty@intel.com>
    Cc: Daniel Micay <danielmicay@gmail.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    4c93496f
rxe_resp.c 32.7 KB