[PATCH 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access

linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access
@ 2015-04-08 14:29 Yann Droneaud
       [not found] ` <cover.1428502843.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
  2015-04-08 14:30 ` [PATCH 2/2] IB/core: don't disallow registering region starting at 0x0 Yann Droneaud
  0 siblings, 2 replies; 3+ messages in thread
From: Yann Droneaud @ 2015-04-08 14:29 UTC (permalink / raw)
  To: Roland Dreier
  Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA, Shachar Raindel,
	Jack Morgenstein, Or Gerlitz, Yann Droneaud

Hi,

Please find one patch to prevent a possible issue partially
addressed by commit 8494057ab5e4 ("IB/uverbs: Prevent integer
overflow in ib_umem_get address arithmetic") (see discussions
in [1]) and another one to add back the possibility of registering
memory mapped at 0 (which is probably not something to be allowed,
but it's not up to ib_umem_get() to prevent it).

[1] "Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical
 memory access"

 http://mid.gmane.org/1428497043.22575.176.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
 http://marc.info/?i=1428497043.22575.176.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org

Regards.

Yann Droneaud (2):
  IB/core: disallow registering 0-sized memory region
  IB/core: don't disallow registering region starting at 0x0

 drivers/infiniband/core/umem.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 1/2] IB/core: disallow registering 0-sized memory region
       [not found] ` <cover.1428502843.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
@ 2015-04-08 14:30   ` Yann Droneaud
  0 siblings, 0 replies; 3+ messages in thread
From: Yann Droneaud @ 2015-04-08 14:30 UTC (permalink / raw)
  To: Roland Dreier
  Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA, Shachar Raindel,
	Jack Morgenstein, Or Gerlitz, Yann Droneaud,
	"IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic"

If ib_umem_get() is called with a size equal to 0 and an
non-page aligned address, one page will be pinned and a
0-sized umem will be returned to the caller.

This should not be allowed: it's not expected for a memory
region to have a size equal to 0.

This patch adds a check to explicitly refuse to register
a 0-sized region.

Additionally, it updates check added in commit 8494057ab5e4
("IB/uverbs: Prevent integer overflow in ib_umem_get
address arithmetic") to not care about 0-sized region:
it would had catched 0-sized region only if address was
already page aligned.

Link: http://mid.gmane.org/cover.1428502843.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
Cc: Shachar Raindel <raindel-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Jack Morgenstein <jackm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
---
 drivers/infiniband/core/umem.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 8c014b5dab4c..cbe361645c1b 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -99,12 +99,15 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	if (dmasync)
 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
 
+	if (!size)
+		return ERR_PTR(-EINVAL);
+
 	/*
 	 * If the combination of the addr and size requested for this memory
 	 * region causes an integer overflow, return error.
 	 */
 	if ((PAGE_ALIGN(addr + size) <= size) ||
-	    (PAGE_ALIGN(addr + size) <= addr))
+	    (PAGE_ALIGN(addr + size) < addr))
 		return ERR_PTR(-EINVAL);
 
 	if (!can_do_mlock())
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH 2/2] IB/core: don't disallow registering region starting at 0x0
  2015-04-08 14:29 [PATCH 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud
       [not found] ` <cover.1428502843.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
@ 2015-04-08 14:30 ` Yann Droneaud
  1 sibling, 0 replies; 3+ messages in thread
From: Yann Droneaud @ 2015-04-08 14:30 UTC (permalink / raw)
  To: Roland Dreier
  Cc: linux-rdma, Shachar Raindel, Jack Morgenstein, Or Gerlitz,
	Yann Droneaud,
	"IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic"

In a call to ib_umem_get(), if address is 0x0 and size is
already page aligned, check added in commit 8494057ab5e4
("IB/uverbs: Prevent integer overflow in ib_umem_get address
arithmetic") will refuse to register a memory region that
could otherwise be valid (provided vm.mmap_min_addr sysctl
and mmap_low_allowed SELinux knobs allow userspace to map
something at address 0x0).

This patch allows back such registration: ib_umem_get()
should probably don't care of the base address provided it
can be pinned with get_user_pages().

Link: http://mid.gmane.org/cover.1428502843.git.ydroneaud@opteya.com
Cc: stable@vger.kernel.org # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
Cc: Shachar Raindel <raindel@mellanox.com>
Cc: Jack Morgenstein <jackm@mellanox.com>
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
---
 drivers/infiniband/core/umem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index cbe361645c1b..a0aadd05ab6d 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -106,7 +106,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	 * If the combination of the addr and size requested for this memory
 	 * region causes an integer overflow, return error.
 	 */
-	if ((PAGE_ALIGN(addr + size) <= size) ||
+	if ((PAGE_ALIGN(addr + size) < size) ||
 	    (PAGE_ALIGN(addr + size) < addr))
 		return ERR_PTR(-EINVAL);
 
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-04-08 14:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-08 14:29 [PATCH 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud
     [not found] ` <cover.1428502843.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-04-08 14:30   ` [PATCH 1/2] IB/core: disallow registering 0-sized memory region Yann Droneaud
2015-04-08 14:30 ` [PATCH 2/2] IB/core: don't disallow registering region starting at 0x0 Yann Droneaud

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).