* Patch "infiniband/uverbs: Fix integer overflows" has been added to the 4.9-stable tree
@ 2018-03-22 13:48 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2018-03-22 13:48 UTC (permalink / raw)
To: vlad, alexander.levin, dledford, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
infiniband/uverbs: Fix integer overflows
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
infiniband-uverbs-fix-integer-overflows.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Thu Mar 22 14:40:23 CET 2018
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Date: Fri, 24 Mar 2017 15:55:17 -0400
Subject: infiniband/uverbs: Fix integer overflows
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
[ Upstream commit 4f7f4dcfff2c19debbcdbcc861c325610a15e0c5 ]
The 'num_sge' variable is verfied to be smaller than the 'sge_count'
variable; however, since both are user-controlled it's possible to cause
an integer overflow for the kmalloc multiply on 32-bit platforms
(num_sge and sge_count are both defined u32). By crafting an input that
causes a smaller-than-expected allocation it's possible to write
controlled data out-of-bounds.
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/uverbs_cmd.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2491,9 +2491,13 @@ ssize_t ib_uverbs_destroy_qp(struct ib_u
static void *alloc_wr(size_t wr_size, __u32 num_sge)
{
+ if (num_sge >= (U32_MAX - ALIGN(wr_size, sizeof (struct ib_sge))) /
+ sizeof (struct ib_sge))
+ return NULL;
+
return kmalloc(ALIGN(wr_size, sizeof (struct ib_sge)) +
num_sge * sizeof (struct ib_sge), GFP_KERNEL);
-};
+}
ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file,
struct ib_device *ib_dev,
@@ -2719,6 +2723,13 @@ static struct ib_recv_wr *ib_uverbs_unma
ret = -EINVAL;
goto err;
}
+
+ if (user_wr->num_sge >=
+ (U32_MAX - ALIGN(sizeof *next, sizeof (struct ib_sge))) /
+ sizeof (struct ib_sge)) {
+ ret = -EINVAL;
+ goto err;
+ }
next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) +
user_wr->num_sge * sizeof (struct ib_sge),
Patches currently in stable-queue which might be from vlad@tsyrklevich.net are
queue-4.9/infiniband-uverbs-fix-integer-overflows.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-03-22 13:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-22 13:48 Patch "infiniband/uverbs: Fix integer overflows" has been added to the 4.9-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).