ipmi: fix oob access due to uninit smi_msg type

kuba-moo · cminyard · commit c33fdfbabb6c · 2021-11-25T08:21:13.000-06:00
We're hitting OOB accesses in handle_ipmb_direct_rcv_rsp() (memcpy of size -1) after user space generates a message. Looks like the message is incorrectly assumed to be of the new IPMB type, because type is never set and message is allocated with kmalloc() not kzalloc(). Fixes: 059747c ("ipmi: Add support for IPMB direct messages") Signed-off-by: Jakub Kicinski <kuba@kernel.org> Message-Id: <20211124210323.1950976-1-kuba@kernel.org> Signed-off-by: Corey Minyard <cminyard@mvista.com>
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
@@ -5033,6 +5033,7 @@ struct ipmi_smi_msg *ipmi_alloc_smi_msg(void)
 	if (rv) {
 		rv->done = free_smi_msg;
 		rv->user_data = NULL;
+		rv->type = IPMI_SMI_MSG_TYPE_NORMAL;
 		atomic_inc(&smi_msg_inuse_count);
 	}
 	return rv;

Original file line number	Diff line number	Diff line change
`@@ -5033,6 +5033,7 @@ struct ipmi_smi_msg *ipmi_alloc_smi_msg(void)`
`5033`	`5033`	`if (rv) {`
`5034`	`5034`	`rv->done = free_smi_msg;`
`5035`	`5035`	`rv->user_data = NULL;`
	`5036`	`+ rv->type = IPMI_SMI_MSG_TYPE_NORMAL;`
`5036`	`5037`	`atomic_inc(&smi_msg_inuse_count);`
`5037`	`5038`	`}`
`5038`	`5039`	`return rv;`