From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-dm3nam03on0131.outbound.protection.outlook.com ([104.47.41.131]:26629
        "EHLO NAM03-DM3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1032099AbeCAP3e (ORCPT <rfc822;stable@vger.kernel.org>);
        Thu, 1 Mar 2018 10:29:34 -0500
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "stable-commits@vger.kernel.org" <stable-commits@vger.kernel.org>
CC: Mohamed Ghannam <simo.ghannam@gmail.com>,
        "David S . Miller" <davem@davemloft.net>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [added to the 4.1 stable tree] RDS: Heap OOB write in
 rds_message_alloc_sgs()
Date: Thu, 1 Mar 2018 15:24:02 +0000
Message-ID: <20180301152116.1486-151-alexander.levin@microsoft.com>
References: <20180301152116.1486-1-alexander.levin@microsoft.com>
In-Reply-To: <20180301152116.1486-1-alexander.levin@microsoft.com>
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Mohamed Ghannam <simo.ghannam@gmail.com>

This patch has been added to the 4.1 stable tree. If you have any
objections, please let us know.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ Upstream commit c095508770aebf1b9218e77026e48345d719b17c ]

When args->nr_local is 0, nr_pages gets also 0 due some size
calculation via rds_rm_size(), which is later used to allocate
pages for DMA, this bug produces a heap Out-Of-Bound write access
to a specific memory region.

Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 net/rds/rdma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 612c3050d514..3e6b133c5e96 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
=20
 	local_vec =3D (struct rds_iovec __user *)(unsigned long) args->local_vec_=
addr;
=20
+	if (args->nr_local =3D=3D 0)
+		return -EINVAL;
+
 	/* figure out the number of pages in the vector */
 	for (i =3D 0; i < args->nr_local; i++) {
 		if (copy_from_user(&vec, &local_vec[i],
--=20
2.14.1