public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Ilja Van Sprundel <ivansprundel@ioactive.com>,
	Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
	Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>,
	Jason Gunthorpe <jgg@nvidia.com>
Subject: [PATCH 4.19 4/7] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
Date: Thu,  4 Nov 2021 15:13:07 +0100	[thread overview]
Message-ID: <20211104141158.174223238@linuxfoundation.org> (raw)
In-Reply-To: <20211104141158.037189396@linuxfoundation.org>

From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>

commit d39bf40e55e666b5905fdbd46a0dced030ce87be upstream.

Overflowing either addrlimit or bytes_togo can allow userspace to trigger
a buffer overflow of kernel memory. Check for overflows in all the places
doing math on user controlled buffers.

Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/qib/qib_user_sdma.c |   33 ++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

--- a/drivers/infiniband/hw/qib/qib_user_sdma.c
+++ b/drivers/infiniband/hw/qib/qib_user_sdma.c
@@ -606,7 +606,7 @@ done:
 /*
  * How many pages in this iovec element?
  */
-static int qib_user_sdma_num_pages(const struct iovec *iov)
+static size_t qib_user_sdma_num_pages(const struct iovec *iov)
 {
 	const unsigned long addr  = (unsigned long) iov->iov_base;
 	const unsigned long  len  = iov->iov_len;
@@ -662,7 +662,7 @@ static void qib_user_sdma_free_pkt_frag(
 static int qib_user_sdma_pin_pages(const struct qib_devdata *dd,
 				   struct qib_user_sdma_queue *pq,
 				   struct qib_user_sdma_pkt *pkt,
-				   unsigned long addr, int tlen, int npages)
+				   unsigned long addr, int tlen, size_t npages)
 {
 	struct page *pages[8];
 	int i, j;
@@ -726,7 +726,7 @@ static int qib_user_sdma_pin_pkt(const s
 	unsigned long idx;
 
 	for (idx = 0; idx < niov; idx++) {
-		const int npages = qib_user_sdma_num_pages(iov + idx);
+		const size_t npages = qib_user_sdma_num_pages(iov + idx);
 		const unsigned long addr = (unsigned long) iov[idx].iov_base;
 
 		ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr,
@@ -828,8 +828,8 @@ static int qib_user_sdma_queue_pkts(cons
 		unsigned pktnw;
 		unsigned pktnwc;
 		int nfrags = 0;
-		int npages = 0;
-		int bytes_togo = 0;
+		size_t npages = 0;
+		size_t bytes_togo = 0;
 		int tiddma = 0;
 		int cfur;
 
@@ -889,7 +889,11 @@ static int qib_user_sdma_queue_pkts(cons
 
 			npages += qib_user_sdma_num_pages(&iov[idx]);
 
-			bytes_togo += slen;
+			if (check_add_overflow(bytes_togo, slen, &bytes_togo) ||
+			    bytes_togo > type_max(typeof(pkt->bytes_togo))) {
+				ret = -EINVAL;
+				goto free_pbc;
+			}
 			pktnwc += slen >> 2;
 			idx++;
 			nfrags++;
@@ -908,8 +912,7 @@ static int qib_user_sdma_queue_pkts(cons
 		}
 
 		if (frag_size) {
-			int tidsmsize, n;
-			size_t pktsize;
+			size_t tidsmsize, n, pktsize, sz, addrlimit;
 
 			n = npages*((2*PAGE_SIZE/frag_size)+1);
 			pktsize = struct_size(pkt, addr, n);
@@ -927,14 +930,24 @@ static int qib_user_sdma_queue_pkts(cons
 			else
 				tidsmsize = 0;
 
-			pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL);
+			if (check_add_overflow(pktsize, tidsmsize, &sz)) {
+				ret = -EINVAL;
+				goto free_pbc;
+			}
+			pkt = kmalloc(sz, GFP_KERNEL);
 			if (!pkt) {
 				ret = -ENOMEM;
 				goto free_pbc;
 			}
 			pkt->largepkt = 1;
 			pkt->frag_size = frag_size;
-			pkt->addrlimit = n + ARRAY_SIZE(pkt->addr);
+			if (check_add_overflow(n, ARRAY_SIZE(pkt->addr),
+					       &addrlimit) ||
+			    addrlimit > type_max(typeof(pkt->addrlimit))) {
+				ret = -EINVAL;
+				goto free_pbc;
+			}
+			pkt->addrlimit = addrlimit;
 
 			if (tiddma) {
 				char *tidsm = (char *)pkt + pktsize;



  parent reply	other threads:[~2021-11-04 14:17 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-04 14:13 [PATCH 4.19 0/7] 4.19.216-rc1 review Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 4.19 1/7] scsi: core: Put LLD module refcnt after SCSI device is released Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 4.19 2/7] media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 4.19 3/7] IB/qib: Use struct_size() helper Greg Kroah-Hartman
2021-11-04 14:13 ` Greg Kroah-Hartman [this message]
2021-11-04 14:13 ` [PATCH 4.19 5/7] sfc: Fix reading non-legacy supported link modes Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 4.19 6/7] arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed Greg Kroah-Hartman
2021-11-04 14:13 ` [PATCH 4.19 7/7] ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" Greg Kroah-Hartman
2021-11-04 22:23 ` [PATCH 4.19 0/7] 4.19.216-rc1 review Shuah Khan
2021-11-05 11:47 ` Naresh Kamboju
2021-11-05 12:46 ` Sudip Mukherjee
2021-11-05 13:16 ` Pavel Machek
2021-11-05 15:14 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211104141158.174223238@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dennis.dalessandro@cornelisnetworks.com \
    --cc=ivansprundel@ioactive.com \
    --cc=jgg@nvidia.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mike.marciniszyn@cornelisnetworks.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox