diff options
author | Jason Gunthorpe <jgg@mellanox.com> | 2018-07-10 20:55:14 -0600 |
---|---|---|
committer | Jason Gunthorpe <jgg@mellanox.com> | 2018-07-25 14:21:21 -0600 |
commit | 1250c3048cf1632f5dbb99a0242410baff67955d (patch) | |
tree | ccf33bb417e90d4b4acd8ab1a7f674beeded6983 /include/rdma | |
parent | 3df593bfe6455f28cda879be8299b30b8601ce3b (diff) |
IB/uverbs: Handle IDR and FD types without truncation
Our ABI for write() uses a s32 for FDs and a u32 for IDRs, but internally
we ended up implicitly casting these ABI values into an 'int'. For ioctl()
we use a s64 for FDs and a u64 for IDRs, again casting to an int.
The various casts to int are all missing range checks which can cause
userspace values that should be considered invalid to be accepted.
Fix this by making the generic lookup routine accept a s64, which does not
truncate the write API's u32/s32 or the ioctl API's s64. Then push the
detailed range checking down to the actual type implementations to be
shared by both interfaces.
Finally, change the copy of the uobj->id to sign extend into a s64, so eg,
if we ever wish to return a negative value for a FD it is carried
properly.
This ensures that userspace values are never weirdly interpreted due to
the various trunctations and everything that is really out of range gets
an EINVAL.
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'include/rdma')
-rw-r--r-- | include/rdma/uverbs_std_types.h | 38 | ||||
-rw-r--r-- | include/rdma/uverbs_types.h | 4 |
2 files changed, 23 insertions, 19 deletions
diff --git a/include/rdma/uverbs_std_types.h b/include/rdma/uverbs_std_types.h index 3e3f108f0912..4f32eab8b7a4 100644 --- a/include/rdma/uverbs_std_types.h +++ b/include/rdma/uverbs_std_types.h @@ -46,39 +46,43 @@ static inline const struct uverbs_object_tree_def *uverbs_default_get_objects(vo } #endif -static inline struct ib_uobject *__uobj_get(const struct uverbs_obj_type *type, - bool write, - struct ib_uverbs_file *ufile, - int id) -{ - return rdma_lookup_get_uobject(type, ufile, id, write); -} +/* Returns _id, or causes a compile error if _id is not a u32. + * + * The uobj APIs should only be used with the write based uAPI to access + * object IDs. The write API must use a u32 for the object handle, which is + * checked by this macro. + */ +#define _uobj_check_id(_id) ((_id) * typecheck(u32, _id)) #define uobj_get_type(_object) UVERBS_OBJECT(_object).type_attrs #define uobj_get_read(_type, _id, _ufile) \ - __uobj_get(uobj_get_type(_type), false, _ufile, _id) + rdma_lookup_get_uobject(uobj_get_type(_type), _ufile, \ + _uobj_check_id(_id), false) -static inline void *_uobj_get_obj_read(const struct uverbs_obj_type *type, - int id, struct ib_uverbs_file *ufile) -{ - struct ib_uobject *uobj = __uobj_get(type, false, ufile, id); +#define ufd_get_read(_type, _fdnum, _ufile) \ + rdma_lookup_get_uobject(uobj_get_type(_type), _ufile, \ + (_fdnum)*typecheck(s32, _fdnum), false) +static inline void *_uobj_get_obj_read(struct ib_uobject *uobj) +{ if (IS_ERR(uobj)) return NULL; return uobj->object; } #define uobj_get_obj_read(_object, _type, _id, _ufile) \ - ((struct ib_##_object *)_uobj_get_obj_read(uobj_get_type(_type), _id, \ - _ufile)) + ((struct ib_##_object *)_uobj_get_obj_read( \ + uobj_get_read(_type, _id, _ufile))) #define uobj_get_write(_type, _id, _ufile) \ - __uobj_get(uobj_get_type(_type), true, _ufile, _id) + rdma_lookup_get_uobject(uobj_get_type(_type), _ufile, \ + _uobj_check_id(_id), true) -int __uobj_perform_destroy(const struct uverbs_obj_type *type, int id, +int __uobj_perform_destroy(const struct uverbs_obj_type *type, u32 id, struct ib_uverbs_file *ufile, int success_res); #define uobj_perform_destroy(_type, _id, _ufile, _success_res) \ - __uobj_perform_destroy(uobj_get_type(_type), _id, _ufile, _success_res) + __uobj_perform_destroy(uobj_get_type(_type), _uobj_check_id(_id), \ + _ufile, _success_res) static inline void uobj_put_read(struct ib_uobject *uobj) { diff --git a/include/rdma/uverbs_types.h b/include/rdma/uverbs_types.h index e2fc9db466d3..2f50cc6def3c 100644 --- a/include/rdma/uverbs_types.h +++ b/include/rdma/uverbs_types.h @@ -77,7 +77,7 @@ struct uverbs_obj_type_class { void (*alloc_abort)(struct ib_uobject *uobj); struct ib_uobject *(*lookup_get)(const struct uverbs_obj_type *type, - struct ib_uverbs_file *ufile, int id, + struct ib_uverbs_file *ufile, s64 id, bool exclusive); void (*lookup_put)(struct ib_uobject *uobj, bool exclusive); /* @@ -121,7 +121,7 @@ struct uverbs_obj_idr_type { struct ib_uobject *rdma_lookup_get_uobject(const struct uverbs_obj_type *type, struct ib_uverbs_file *ufile, - int id, bool exclusive); + s64 id, bool exclusive); void rdma_lookup_put_uobject(struct ib_uobject *uobj, bool exclusive); struct ib_uobject *rdma_alloc_begin_uobject(const struct uverbs_obj_type *type, struct ib_uverbs_file *ufile); |