On Wed, Nov 24, 2021 at 01:03:23PM -0800, Jakub Kicinski wrote:
> We're hitting OOB accesses in handle_ipmb_direct_rcv_rsp() (memcpy of
> size -1) after user space generates a message. Looks like the message
> is incorrectly assumed to be of the new IPMB type, because type is never
> set and message is allocated with kmalloc() not kzalloc().
>
> Fixes: 059747c245f0 ("ipmi: Add support for IPMB direct messages")
> Signed-off-by: Jakub Kicinski <k...@kernel.org>
This is correct, and in my queue. Thanks for the fix.
-corey
> ---
> Would it be possible to get something like this to Linus ASAP?
> It's flipping over all my test boxes.
> ---
> drivers/char/ipmi/ipmi_msghandler.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/char/ipmi/ipmi_msghandler.c
> b/drivers/char/ipmi/ipmi_msghandler.c
> index deed355422f4..f0b18c25cbb1 100644
> --- a/drivers/char/ipmi/ipmi_msghandler.c
> +++ b/drivers/char/ipmi/ipmi_msghandler.c
> @@ -5031,6 +5031,7 @@ struct ipmi_smi_msg *ipmi_alloc_smi_msg(void)
> if (rv) {
> rv->done = free_smi_msg;
> rv->user_data = NULL;
> + rv->type = IPMI_SMI_MSG_TYPE_NORMAL;
> atomic_inc(&smi_msg_inuse_count);
> }
> return rv;
> --
> 2.31.1
>
_______________________________________________
Openipmi-developer mailing list
Openipmi-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openipmi-developer
