diff --git a/0001-util-fix-overflow-in-remap_node_name.patch b/0001-util-fix-overflow-in-remap_node_name.patch new file mode 100644 index 0000000..860c153 --- /dev/null +++ b/0001-util-fix-overflow-in-remap_node_name.patch @@ -0,0 +1,85 @@ +From 5075b961a29ff9c418e1fefe78432e95dd0a5fcc Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Wed, 1 Feb 2023 22:41:06 +0100 +Subject: [PATCH 1/3] util: fix overflow in remap_node_name() + +The function remap_node_name() assumes the parameter 'nodedesc' is at +least IB_SMP_DATA_SIZE + 1 (i.e. 65) bytes long, because it passes it to +clean_nodedesc() that writes a nul-terminator to it at offset +IB_SMP_DATA_SIZE. Callers in infiniband-diags/saquery.c pass +a (struct ib_node_desc_t).description as the argument, which is only +IB_NODE_DESCRIPTION_SIZE (i.e. 64) bytes long. This is an overflow. + +An odd thing about remap_node_name() is that it may (but does not +always) rewrite the nodedesc in-place. Callers do not appear to +appreciate this behavior. Most of them are various print_* and dump_* +functions where rewriting the input makes no sense. Some callers make a +local copy of the nodedesc first, possibly to protect the original. +One caller (infiniband-diags/saquery.c:print_node_records()) checks if +either the original description or the remapped one matches a given +requested_name - so it looks like it prefers the original to be +not rewritten. + +Let's make remap_node_name() a bit safer and more convenient to use. +Allocate a fixed-sized copy first. Then use strncpy to copy from +'nodedesc', never reading more than IB_SMP_DATA_SIZE (64) bytes. +Apply clean_nodedesc() on the correctly-sized copy. This solves the +overflow bug. Also, the in-place rewrite of 'nodedesc' is gone and it +can become a (const char*). + +The overflow was found by a static checker (covscan). + +Fixes: d974c4e398d2 ("Fix max length of node description (ibnetdiscover and smpquery)") +Signed-off-by: Michal Schmidt +--- + util/node_name_map.c | 12 +++++++++--- + util/node_name_map.h | 3 +-- + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/util/node_name_map.c b/util/node_name_map.c +index 30b73eb1448e..511cb92ef19c 100644 +--- a/util/node_name_map.c ++++ b/util/node_name_map.c +@@ -95,7 +95,7 @@ void close_node_name_map(nn_map_t * map) + free(map); + } + +-char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc) ++char *remap_node_name(nn_map_t * map, uint64_t target_guid, const char *nodedesc) + { + char *rc = NULL; + name_map_item_t *item = NULL; +@@ -108,8 +108,14 @@ char *remap_node_name(nn_map_t * map, uint64_t target_guid, char *nodedesc) + rc = strdup(item->name); + + done: +- if (rc == NULL) +- rc = strdup(clean_nodedesc(nodedesc)); ++ if (rc == NULL) { ++ rc = malloc(IB_SMP_DATA_SIZE + 1); ++ if (rc) { ++ strncpy(rc, nodedesc, IB_SMP_DATA_SIZE); ++ rc[IB_SMP_DATA_SIZE] = '\0'; ++ clean_nodedesc(rc); ++ } ++ } + return (rc); + } + +diff --git a/util/node_name_map.h b/util/node_name_map.h +index e78d274b116e..d83d672782c4 100644 +--- a/util/node_name_map.h ++++ b/util/node_name_map.h +@@ -12,8 +12,7 @@ typedef struct nn_map nn_map_t; + + nn_map_t *open_node_name_map(const char *node_name_map); + void close_node_name_map(nn_map_t *map); +-/* NOTE: parameter "nodedesc" may be modified here. */ +-char *remap_node_name(nn_map_t *map, uint64_t target_guid, char *nodedesc); ++char *remap_node_name(nn_map_t *map, uint64_t target_guid, const char *nodedesc); + char *clean_nodedesc(char *nodedesc); + + #endif +-- +2.39.1 + diff --git a/0002-infiniband-diags-drop-unnecessary-nodedesc-local-cop.patch b/0002-infiniband-diags-drop-unnecessary-nodedesc-local-cop.patch new file mode 100644 index 0000000..7927ba6 --- /dev/null +++ b/0002-infiniband-diags-drop-unnecessary-nodedesc-local-cop.patch @@ -0,0 +1,95 @@ +From d5723a0f69577fd3022024ca17c27e273a29695b Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Wed, 1 Feb 2023 22:41:16 +0100 +Subject: [PATCH 2/3] infiniband-diags: drop unnecessary nodedesc local copies + +Now that remap_node_name() never rewrites nodedesc in-place, some +copying can be avoided. + +Signed-off-by: Michal Schmidt +--- + infiniband-diags/dump_fts.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/infiniband-diags/dump_fts.c b/infiniband-diags/dump_fts.c +index ce6bfb9ecc33..acef9efe692d 100644 +--- a/infiniband-diags/dump_fts.c ++++ b/infiniband-diags/dump_fts.c +@@ -109,7 +109,6 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl, + unsigned endl, struct ibmad_port *mad_port) + { + ib_portid_t *portid = &node->path_portid; +- char nd[IB_SMP_DATA_SIZE + 1] = { 0 }; + char str[512]; + char *s; + uint64_t nodeguid; +@@ -119,7 +118,6 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl, + char *mapnd = NULL; + int n = 0; + +- memcpy(nd, node->nodedesc, strlen(node->nodedesc)); + nports = node->numports; + nodeguid = node->guid; + +@@ -149,7 +147,7 @@ static void dump_multicast_tables(ibnd_node_t *node, unsigned startl, + endl = IB_MAX_MCAST_LID; + } + +- mapnd = remap_node_name(node_name_map, nodeguid, nd); ++ mapnd = remap_node_name(node_name_map, nodeguid, node->nodedesc); + + printf("Multicast mlids [0x%x-0x%x] of switch %s guid 0x%016" PRIx64 + " (%s):\n", startl, endl, portid2str(portid), nodeguid, +@@ -224,8 +222,6 @@ static int dump_lid(char *str, int str_len, int lid, int valid, + ibnd_fabric_t *fabric, int *last_port_lid, + int *base_port_lid, uint64_t *portguid) + { +- char nd[IB_SMP_DATA_SIZE + 1] = { 0 }; +- + ibnd_port_t *port = NULL; + + char ntype[50], sguid[30]; +@@ -276,14 +272,12 @@ static int dump_lid(char *str, int str_len, int lid, int valid, + baselid = port->base_lid; + lmc = port->lmc; + +- memcpy(nd, port->node->nodedesc, strlen(port->node->nodedesc)); +- + if (lmc > 0) { + *base_port_lid = baselid; + *last_port_lid = baselid + (1 << lmc) - 1; + } + +- mapnd = remap_node_name(node_name_map, nodeguid, nd); ++ mapnd = remap_node_name(node_name_map, nodeguid, port->node->nodedesc); + + rc = snprintf(str, str_len, ": (%s portguid %s: '%s')", + mad_dump_val(IB_NODE_TYPE_F, ntype, sizeof ntype, +@@ -302,7 +296,6 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl, + { + ib_portid_t * portid = &node->path_portid; + char lft[IB_SMP_DATA_SIZE] = { 0 }; +- char nd[IB_SMP_DATA_SIZE + 1] = { 0 }; + char str[200]; + uint64_t nodeguid; + int block, i, e, top; +@@ -315,7 +308,6 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl, + mad_decode_field(node->switchinfo, IB_SW_LINEAR_FDB_TOP_F, &top); + nodeguid = node->guid; + nports = node->numports; +- memcpy(nd, node->nodedesc, strlen(node->nodedesc)); + + if (!endl || endl > top) + endl = top; +@@ -326,7 +318,7 @@ static void dump_unicast_tables(ibnd_node_t *node, int startl, int endl, + endl = IB_MAX_UCAST_LID; + } + +- mapnd = remap_node_name(node_name_map, nodeguid, nd); ++ mapnd = remap_node_name(node_name_map, nodeguid, node->nodedesc); + + printf("Unicast lids [0x%x-0x%x] of switch %s guid 0x%016" PRIx64 + " (%s):\n", startl, endl, portid2str(portid), nodeguid, +-- +2.39.1 + diff --git a/0003-libibnetdisc-fix-printing-a-possibly-non-NUL-termina.patch b/0003-libibnetdisc-fix-printing-a-possibly-non-NUL-termina.patch new file mode 100644 index 0000000..2a5cc84 --- /dev/null +++ b/0003-libibnetdisc-fix-printing-a-possibly-non-NUL-termina.patch @@ -0,0 +1,38 @@ +From 45fcc7ad41216a93bafb452f7d7a4507d52722cd Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Wed, 1 Feb 2023 23:30:52 +0100 +Subject: [PATCH 3/3] libibnetdisc: fix printing a possibly non-NUL-terminated + string + +Found by a static check (covscan). + +Fixes: d974c4e398d2 ("Fix max length of node description (ibnetdiscover and smpquery)") +Signed-off-by: Michal Schmidt +--- + libibnetdisc/chassis.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libibnetdisc/chassis.c b/libibnetdisc/chassis.c +index a3ec1d82807c..bc1a8aff8acb 100644 +--- a/libibnetdisc/chassis.c ++++ b/libibnetdisc/chassis.c +@@ -597,7 +597,7 @@ static int fill_mellanox_chassis_record(ibnd_node_t * node) + int p = 0; + ibnd_port_t *port; + +- char node_desc[IB_SMP_DATA_SIZE]; ++ char node_desc[IB_SMP_DATA_SIZE + 1]; + char *system_name; + char *system_type; + char *system_slot_name; +@@ -617,6 +617,7 @@ static int fill_mellanox_chassis_record(ibnd_node_t * node) + */ + + memcpy(node_desc, node->nodedesc, IB_SMP_DATA_SIZE); ++ node_desc[IB_SMP_DATA_SIZE] = '\0'; + + IBND_DEBUG("fill_mellanox_chassis_record: node_desc:%s \n",node_desc); + +-- +2.39.1 + diff --git a/0001-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch b/9998-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch similarity index 100% rename from 0001-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch rename to 9998-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch diff --git a/udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch b/9999-udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch similarity index 100% rename from udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch rename to 9999-udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch diff --git a/rdma-core.spec b/rdma-core.spec index acf8748..0d340f6 100644 --- a/rdma-core.spec +++ b/rdma-core.spec @@ -1,6 +1,6 @@ Name: rdma-core Version: 44.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: RDMA core userspace libraries and daemons # Almost everything is licensed under the OFA dual GPLv2, 2 Clause BSD license @@ -10,8 +10,12 @@ Summary: RDMA core userspace libraries and daemons License: GPLv2 or BSD Url: https://github.com/linux-rdma/rdma-core Source: https://github.com/linux-rdma/rdma-core/releases/download/v%{version}/%{name}-%{version}.tar.gz -Patch1: 0001-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch -Patch2: udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch +# 0001-0003: https://github.com/linux-rdma/rdma-core/pull/1308 +Patch1: 0001-util-fix-overflow-in-remap_node_name.patch +Patch2: 0002-infiniband-diags-drop-unnecessary-nodedesc-local-cop.patch +Patch3: 0003-libibnetdisc-fix-printing-a-possibly-non-NUL-termina.patch +Patch9998: 9998-kernel-boot-Do-not-perform-device-rename-on-OPA-devi.patch +Patch9999: 9999-udev-keep-NAME_KERNEL-as-default-interface-naming-co.patch # Do not build static libs by default. %define with_static %{?_with_static: 1} %{?!_with_static: 0} @@ -273,11 +277,14 @@ easy, object-oriented access to IB verbs. %prep %setup -q -%if 0%{?fedora} %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%if 0%{?fedora} +%patch9998 -p1 %endif %if 0%{?rhel} -%patch2 -p1 +%patch9999 -p1 %endif %build @@ -663,6 +670,9 @@ fi %endif %changelog +* Thu Feb 02 2023 Michal Schmidt - 44.0-2 +- Fix a couple of bugs found by covscan. + * Tue Jan 31 2023 Michal Schmidt - 44.0-1 - Rebase to upstream v44.0.