From: Yann Droneaud <ydroneaud@opteya.com>
To: Roland Dreier <roland@kernel.org>
Cc: linux-rdma@vger.kernel.org,
Shachar Raindel <raindel@mellanox.com>,
Jack Morgenstein <jackm@mellanox.com>,
Or Gerlitz <ogerlitz@mellanox.com>,
stable@vger.kernel.org, Yann Droneaud <ydroneaud@opteya.com>
Subject: [PATCH v1 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access
Date: Mon, 13 Apr 2015 14:56:21 +0200 [thread overview]
Message-ID: <cover.1428929103.git.ydroneaud@opteya.com> (raw)
Hi,
Please find one patch to prevent a possible issue partially
addressed by commit 8494057ab5e4 ("IB/uverbs: Prevent integer
overflow in ib_umem_get address arithmetic") (see discussions
in [1]) and another one to add back the possibility of registering
memory mapped at 0 (which is probably not something to be allowed,
but it's probably not up to ib_umem_get() to prevent it).
Changes from v0 [2]:
- don't touch to overflow logic in first patch:
not modifying the logic here so that the patch can be applied
even on kernel without the overflow preventing checks,
and second patch is going to rewrite the check.
- don't break overflow detection in second patch:
changing less or equal to less comparison broke the overflow
detection logic regarding to rounding done by PAGE_ALIGN,
so fixes this by checking for overflow in addr + size,
then by checking for overflow in PAGE_ALIGN(addr + size).
[1] "Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical
memory access"
http://mid.gmane.org/1428497043.22575.176.camel@opteya.com
http://marc.info/?i=1428497043.22575.176.camel@opteya.com
[2] [PATCH RESEND 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access
http://mid.gmane.org/cover.1428523125.git.ydroneaud@opteya.com
http://marc.info/?i=cover.1428523125.git.ydroneaud@opteya.com
Yann Droneaud (2):
IB/core: disallow registering 0-sized memory region
IB/core: don't disallow registering region starting at 0x0
drivers/infiniband/core/umem.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--
2.1.0
next reply other threads:[~2015-04-13 12:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-13 12:56 Yann Droneaud [this message]
[not found] ` <cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-04-13 12:56 ` [PATCH v1 1/2] IB/core: disallow registering 0-sized memory region Yann Droneaud
2015-04-13 12:56 ` [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0 Yann Droneaud
2015-04-14 9:20 ` Sagi Grimberg
2015-04-14 12:00 ` Yann Droneaud
[not found] ` <1429012859.4333.2.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-04-14 12:50 ` Sagi Grimberg
[not found] ` <552D0D2A.8000604-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>
2015-04-14 14:35 ` Haggai Eran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1428929103.git.ydroneaud@opteya.com \
--to=ydroneaud@opteya.com \
--cc=jackm@mellanox.com \
--cc=linux-rdma@vger.kernel.org \
--cc=ogerlitz@mellanox.com \
--cc=raindel@mellanox.com \
--cc=roland@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.