From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BEA530595B for ; Wed, 17 Jun 2026 02:31:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781663520; cv=none; b=qvXWy1WTb3jyhD+kmoj1w95J32svJ9EUcxhk3CjMbTTJylpP1FTHdVjjEcBGLu1RE5TrJD62GH33M9E4OUpQ8W7XWBPH+jeZIZBcNL88JH6o5rx4BdHuCEneEV1sO6nE8uATJVty7SRoGWajfm8zBjSFNbeyRf81EdomBHumsEo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781663520; c=relaxed/simple; bh=gI6fuoOtfgNxRQeV5MldXtG1ofvIZjXTUr99fjt2T6M=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WVGbG9wJwX9UmyJtyJeqhDoioBoKekv/W7BziBNoJIe/arlO8ve87QPXO4EryRfKm84NLaVRDaLDRZNzlXezCCDB+Osh6zE16fkEXTu1o0Gja07SRLP4U4i+73WXi31zsTfZDVpRkY+joFY+TRch6VOVZgPcUM9YGhkJH0qSfbk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SZTkG+Dn; arc=none smtp.client-ip=209.85.219.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SZTkG+Dn" Received: by mail-qv1-f50.google.com with SMTP id 6a1803df08f44-8ce9df4732cso60352186d6.1 for ; Tue, 16 Jun 2026 19:31:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781663518; x=1782268318; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WyvBBywOIL3cYLr1Vmd6dlHjxJOx7q5S/Lp3StPlWN8=; b=SZTkG+DntHf+wW565y4p4gP8OJk+Nwq8qyLhN2by/m6RWUkfQxBSBIA/YpvlDIJ4/M xl52iqnOB7LmvOMRHNMIEhHUs71obU/oB9RnXQNkOh1tZU6oSHusULHhZrIFZuqxT1W9 ZQxLBqr/gDagKYtex44HBhOM69QoQitJ0eFur0w27WB3C3X4eSTrgjfKiP28T4LM/Hjp +V3HwuFlRuMBJUA/6pHRj4ijo0EixLk+GgvCIAdqKYtCVoXJI4shBWOlpnNj8gBAUC8m olDpjFG81B+iUeWxMgJa2SDvpQYj5yRLnogaUgbFHnofhDMqjZT3inw7H3Y8qE9ZMqAC Yb1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781663518; x=1782268318; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WyvBBywOIL3cYLr1Vmd6dlHjxJOx7q5S/Lp3StPlWN8=; b=Bgi2s4BhO2WUnxXG/UflsUHLq+2PHnXWgVELBoPUW6Yoer2FR5RZNbHO1gIcNUTYVc 6eaUlskyC9D27qWONxHArrFQqXhM5HJRyt2RLPKlk1Wvxyj5Kct5vjnSIP2vT/kSU6l1 eAN6xmTVcsgYYmOlleBIQNiuvLEnyaBlIHJokRFxnjRpVeAwM9psLd+bb+OntcRj3J2F 5C46op2hW2xZvHpFa1IERgUkNTvRqYgeXm+CORVIqP18M4RkgQR8SgfIWndxvKXrp6Y8 ADOT/Wku+5x+XovCDnFdOnJNo+Qb5vFE0tU1XfqpbJY/6H5zvPQd1fIu/dnornY6OWMo bl8w== X-Forwarded-Encrypted: i=1; AFNElJ8/lFpSWlvzvuURbnnfx044F2quVSTviI34vao0trieFtoMPOf/XpwSZ7Q6RvNURcebU1qCPO9l4BP1FAU=@vger.kernel.org X-Gm-Message-State: AOJu0YycBAEhPKdSJlO9M5iN43WXDkZPOplDlxn+XTcmogIyHjeuJH32 N0AjpfT958PT6hJo1yvIViwOmkJIqAM7u08NfD90VVO+OVbnWZfNOntg X-Gm-Gg: AfdE7ckrZ3Kdx36feyFjF7KbqeSuiphX2DDtPnmaMNQDSzbAkAR0YUuMYTjzQ7sskRg tbqefq52AGOT5pZTer1YzEHsdMciIB+MOH5+0arATr6y+4gZL7aade5fcbmCtNaQyJkBFz6btPc 18hs6PHzpC3YWXcY2hN0Beg3GwSkQ2i44Fee9rxYV4E8Y5nvlnZfpGsoIBziXMRMrSTcyGyaVem F6N+AwOZIX1fzEUsVuTxfh2DAX+rmbWgsykXibOUMPrSEmqlkwGtiAzPIaZTHZN5+kHz037WEGL cri89P394erWG1N4xTQ0VQDpZvgN2NAD3GR6kjt5yG4RA+D+o21IHRmRlCaBHZmRA8Ri3jWc1My 5mrYncVoLMq0SUsvWC2QTly4zwnYbXJNn40hKgRfOM14W+i6SEPd0tppvDP0tKk+B8x0kdvfoEL WZkOoyM6R+/KE5tCPjnOZF+KAyFDir7SOkQ7r/C0KrrEq4yhrwzA/qesZkr4Qs73XM2Mzdti0pD Clz23yKdSmld7SKJc4PeHxYqcf5ZhlX X-Received: by 2002:a05:6214:6013:b0:8db:c2e3:66a1 with SMTP id 6a1803df08f44-8dbc2e36896mr11272466d6.16.1781663518377; Tue, 16 Jun 2026 19:31:58 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8d9f47408besm51083746d6.28.2026.06.16.19.31.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Jun 2026 19:31:57 -0700 (PDT) From: Michael Bommarito To: Allison Henderson , "David S . Miller" , Jakub Kicinski , Paolo Abeni , Eric Dumazet Cc: Simon Horman , netdev@vger.kernel.org, linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com, linux-kernel@vger.kernel.org Subject: [PATCH net-next v2] net: rds: check cmsg_len before reading rds_rdma_args in size pass Date: Tue, 16 Jun 2026 22:31:46 -0400 Message-ID: <20260617023146.2780077-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit rds_rm_size() handles RDS_CMSG_RDMA_ARGS after only CMSG_OK() and then calls rds_rdma_extra_size(), which reads args->local_vec_addr and args->nr_local without first checking that cmsg_len covers struct rds_rdma_args. The other two RDS_CMSG_RDMA_ARGS consumers already guard this: rds_rdma_bytes() in rds_sendmsg() and rds_cmsg_rdma_args() in rds_cmsg_send() both reject cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args)). Add the same check to rds_rm_size() so all three RDMA args passes are consistent. This is a consistency and hardening change with no behavioral effect for well-formed senders and no reachable bug today: rds_rdma_bytes() runs before rds_rm_size() in rds_sendmsg() and already rejects a short RDS_CMSG_RDMA_ARGS, so the size pass is not reached with an undersized cmsg. But rds_rm_size() reads the args independently of that earlier pass, and nothing in rds_rm_size() itself records or enforces the precondition, so a reader or a future refactor of the size pass cannot tell the cmsg has already been length-checked. Applying the same cmsg_len guard in all three RDS_CMSG_RDMA_ARGS consumers keeps that invariant local to each and robust to reordering. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Michael Bommarito --- v2: - Re-target net-next and drop the Fixes: tag and the stable Cc. This is a consistency/hardening change, not a reachable bug: as Allison Henderson noted, rds_rdma_bytes() runs before rds_rm_size() in rds_sendmsg() and already rejects a short RDS_CMSG_RDMA_ARGS, so a user cannot reach the rds_rm_size() read through sendmsg. - Corrected the changelog: the two sibling guards are rds_rdma_bytes() in rds_sendmsg() and rds_cmsg_rdma_args() in rds_cmsg_send(); the former runs before, not after, rds_rm_size(). - Dropped the KASAN/AF_RDS reachability framing. No code change from v1. - v1: https://lore.kernel.org/all/20260614130725.2520842-1-michael.bommarito@gmail.com/ net/rds/send.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/rds/send.c b/net/rds/send.c index d8b14ff9d366b..6ca3192b1d8af 100644 --- a/net/rds/send.c +++ b/net/rds/send.c @@ -967,6 +967,8 @@ static int rds_rm_size(struct msghdr *msg, int num_sgs, switch (cmsg->cmsg_type) { case RDS_CMSG_RDMA_ARGS: + if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct rds_rdma_args))) + return -EINVAL; if (vct->indx >= vct->len) { vct->len += vct->incr; tmp_iov = base-commit: 5200f5f493f79f14bbdc349e402a40dfb32f23c8 -- 2.53.0