[openib-general] Data structure size mismatch
Pradeep Satyanarayana
pradeep at us.ibm.com
Sun Nov 6 15:03:30 PST 2005
Roland Dreier <rolandd at cisco.com> wrote on 11/04/2005 04:09:39 PM:
> >>>>> "Pradeep" == Pradeep Satyanarayana <pradeep at us.ibm.com> writes:
>
> Pradeep> Even if we change struct ib_uat_route_by_ip_req, there
> Pradeep> still is user_mad.c that needs to be looked into.
>
> Could you be specific? As far as I can tell, all of the structures
> copied to and from userspace in user_mad.c are laid out identically
> for 32-bit and 64-bit architectures.
I looked at this from the copy_from_user() side only. I do not know which
user app uses this. Here is an example of the code from ib_umad_write()
that illustrates this :
packet = kmalloc(sizeof *packet + IB_MGMT_RMPP_HDR,
GFP_KERNEL);
if (!packet)
return -ENOMEM;
if (copy_from_user(&packet->mad, buf,
sizeof (struct ib_user_mad) +
IB_MGMT_RMPP_HDR)) {
ret = -EFAULT;
goto err;
}
struct ib_umad_packet {
struct ib_mad_send_buf *msg;
struct list_head list;
int length;
struct ib_user_mad mad;
};
Now, sizeof *packet will be different between 32-bit and 64-bit because of
the pointers. Because of this, the offset of packet->mad will be incorrect
and one might find unexpected data. Would you agree?
Once I saw this, I did not look further. There may be other cases of this
mismatch, and I have not had a chance to take a close look at all the code.
Pradeep
pradeep at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/general/attachments/20051106/2f412c7d/attachment.html>
More information about the general
mailing list