* [patch 1/2] IB/rxe: Fix resid update [not found] ` <8892e1d1-84ba-489b-d118-3599b9b50b0f-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2017-02-07 13:43 ` Dan Carpenter 2017-02-07 17:02 ` Leon Romanovsky 2017-02-08 17:39 ` Doug Ledford 2017-02-07 13:45 ` [patch 2/2 v2] IB/rxe: Fix mem_check_range integer overflow Dan Carpenter 1 sibling, 2 replies; 6+ messages in thread From: Dan Carpenter @ 2017-02-07 13:43 UTC (permalink / raw) To: Moni Shoua, Eyal Itkin Cc: Doug Ledford, Sean Hefty, Hal Rosenstock, security-DgEjT+Ai2ygdnm+yROfE0A, linux-rdma-u79uwXL29TY76Z2rM5mHXA From: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Update the response's resid field when larger than MTU, instead of only updating the local resid variable. Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c index 7bf20ced2078..d404a8aba7af 100644 --- a/drivers/infiniband/sw/rxe/rxe_resp.c +++ b/drivers/infiniband/sw/rxe/rxe_resp.c @@ -479,7 +479,7 @@ static enum resp_states check_rkey(struct rxe_qp *qp, goto err; } - resid = mtu; + qp->resp.resid = mtu; } else { if (pktlen != resid) { state = RESPST_ERR_LENGTH; -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [patch 1/2] IB/rxe: Fix resid update 2017-02-07 13:43 ` [patch 1/2] IB/rxe: Fix resid update Dan Carpenter @ 2017-02-07 17:02 ` Leon Romanovsky 2017-02-08 17:39 ` Doug Ledford 1 sibling, 0 replies; 6+ messages in thread From: Leon Romanovsky @ 2017-02-07 17:02 UTC (permalink / raw) To: Dan Carpenter Cc: Moni Shoua, Eyal Itkin, Doug Ledford, Sean Hefty, Hal Rosenstock, security-DgEjT+Ai2ygdnm+yROfE0A, linux-rdma-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 550 bytes --] On Tue, Feb 07, 2017 at 04:43:05PM +0300, Dan Carpenter wrote: > From: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > Update the response's resid field when larger than MTU, instead of only > updating the local resid variable. > > Fixes: 8700e3e7c485 ("Soft RoCE driver") > Signed-off-by: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> > Thanks, Reviewed-by: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch 1/2] IB/rxe: Fix resid update 2017-02-07 13:43 ` [patch 1/2] IB/rxe: Fix resid update Dan Carpenter 2017-02-07 17:02 ` Leon Romanovsky @ 2017-02-08 17:39 ` Doug Ledford 1 sibling, 0 replies; 6+ messages in thread From: Doug Ledford @ 2017-02-08 17:39 UTC (permalink / raw) To: Dan Carpenter, Moni Shoua, Eyal Itkin Cc: Sean Hefty, Hal Rosenstock, security-DgEjT+Ai2ygdnm+yROfE0A, linux-rdma-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 1154 bytes --] On Tue, 2017-02-07 at 16:43 +0300, Dan Carpenter wrote: > From: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > Update the response's resid field when larger than MTU, instead of > only > updating the local resid variable. > > Fixes: 8700e3e7c485 ("Soft RoCE driver") > Signed-off-by: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> > > diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c > b/drivers/infiniband/sw/rxe/rxe_resp.c > index 7bf20ced2078..d404a8aba7af 100644 > --- a/drivers/infiniband/sw/rxe/rxe_resp.c > +++ b/drivers/infiniband/sw/rxe/rxe_resp.c > @@ -479,7 +479,7 @@ static enum resp_states check_rkey(struct rxe_qp > *qp, > goto err; > } > > - resid = mtu; > + qp->resp.resid = mtu; > } else { > if (pktlen != resid) { > state = RESPST_ERR_LENGTH; Applied, thanks. -- Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> GPG KeyID: B826A3330E572FDD Key fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* [patch 2/2 v2] IB/rxe: Fix mem_check_range integer overflow [not found] ` <8892e1d1-84ba-489b-d118-3599b9b50b0f-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2017-02-07 13:43 ` [patch 1/2] IB/rxe: Fix resid update Dan Carpenter @ 2017-02-07 13:45 ` Dan Carpenter 2017-02-07 17:02 ` Leon Romanovsky 2017-02-08 17:40 ` Doug Ledford 1 sibling, 2 replies; 6+ messages in thread From: Dan Carpenter @ 2017-02-07 13:45 UTC (permalink / raw) To: Moni Shoua, Eyal Itkin Cc: Doug Ledford, Sean Hefty, Hal Rosenstock, security-DgEjT+Ai2ygdnm+yROfE0A, linux-rdma-u79uwXL29TY76Z2rM5mHXA From: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Update the range check to avoid integer-overflow in edge case. Resolves CVE 2016-8636. Signed-off-by: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> --- v2: I completely misread Eyal's first patch. diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c index 8cf38b253c37..37eea7441ca4 100644 --- a/drivers/infiniband/sw/rxe/rxe_mr.c +++ b/drivers/infiniband/sw/rxe/rxe_mr.c @@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length) case RXE_MEM_TYPE_MR: case RXE_MEM_TYPE_FMR: - return ((iova < mem->iova) || - ((iova + length) > (mem->iova + mem->length))) ? - -EFAULT : 0; + if (iova < mem->iova || + length > mem->length || + iova > mem->iova + mem->length - length) + return -EFAULT; + return 0; default: return -EFAULT; -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [patch 2/2 v2] IB/rxe: Fix mem_check_range integer overflow 2017-02-07 13:45 ` [patch 2/2 v2] IB/rxe: Fix mem_check_range integer overflow Dan Carpenter @ 2017-02-07 17:02 ` Leon Romanovsky 2017-02-08 17:40 ` Doug Ledford 1 sibling, 0 replies; 6+ messages in thread From: Leon Romanovsky @ 2017-02-07 17:02 UTC (permalink / raw) To: Dan Carpenter Cc: Moni Shoua, Eyal Itkin, Doug Ledford, Sean Hefty, Hal Rosenstock, security-DgEjT+Ai2ygdnm+yROfE0A, linux-rdma-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 540 bytes --] On Tue, Feb 07, 2017 at 04:45:19PM +0300, Dan Carpenter wrote: > From: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > Update the range check to avoid integer-overflow in edge case. > Resolves CVE 2016-8636. > > Signed-off-by: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> > --- > v2: I completely misread Eyal's first patch. > Thanks, Reviewed-by: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch 2/2 v2] IB/rxe: Fix mem_check_range integer overflow 2017-02-07 13:45 ` [patch 2/2 v2] IB/rxe: Fix mem_check_range integer overflow Dan Carpenter 2017-02-07 17:02 ` Leon Romanovsky @ 2017-02-08 17:40 ` Doug Ledford 1 sibling, 0 replies; 6+ messages in thread From: Doug Ledford @ 2017-02-08 17:40 UTC (permalink / raw) To: Dan Carpenter, Moni Shoua, Eyal Itkin Cc: Sean Hefty, Hal Rosenstock, security-DgEjT+Ai2ygdnm+yROfE0A, linux-rdma-u79uwXL29TY76Z2rM5mHXA [-- Attachment #1: Type: text/plain, Size: 1363 bytes --] On Tue, 2017-02-07 at 16:45 +0300, Dan Carpenter wrote: > From: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > > Update the range check to avoid integer-overflow in edge case. > Resolves CVE 2016-8636. > > Signed-off-by: Eyal Itkin <eyal.itkin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> > --- > v2: I completely misread Eyal's first patch. > > diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c > b/drivers/infiniband/sw/rxe/rxe_mr.c > index 8cf38b253c37..37eea7441ca4 100644 > --- a/drivers/infiniband/sw/rxe/rxe_mr.c > +++ b/drivers/infiniband/sw/rxe/rxe_mr.c > @@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, > size_t length) > > case RXE_MEM_TYPE_MR: > case RXE_MEM_TYPE_FMR: > - return ((iova < mem->iova) || > - ((iova + length) > (mem->iova + mem- > >length))) ? > - -EFAULT : 0; > + if (iova < mem->iova || > + length > mem->length || > + iova > mem->iova + mem->length - length) > + return -EFAULT; > + return 0; > > default: > return -EFAULT; Thanks, applied. -- Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> GPG KeyID: B826A3330E572FDD Key fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-02-08 17:40 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <8892e1d1-84ba-489b-d118-3599b9b50b0f@redhat.com>
[not found] ` <8892e1d1-84ba-489b-d118-3599b9b50b0f-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-02-07 13:43 ` [patch 1/2] IB/rxe: Fix resid update Dan Carpenter
2017-02-07 17:02 ` Leon Romanovsky
2017-02-08 17:39 ` Doug Ledford
2017-02-07 13:45 ` [patch 2/2 v2] IB/rxe: Fix mem_check_range integer overflow Dan Carpenter
2017-02-07 17:02 ` Leon Romanovsky
2017-02-08 17:40 ` Doug Ledford
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).