From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Ilja Van Sprundel <ivansprundel@ioactive.com>,
Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>,
Jason Gunthorpe <jgg@nvidia.com>
Subject: [PATCH 4.4 05/19] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
Date: Wed, 10 Nov 2021 19:43:07 +0100 [thread overview]
Message-ID: <20211110182001.427313108@linuxfoundation.org> (raw)
In-Reply-To: <20211110182001.257350381@linuxfoundation.org>
From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
commit d39bf40e55e666b5905fdbd46a0dced030ce87be upstream.
Overflowing either addrlimit or bytes_togo can allow userspace to trigger
a buffer overflow of kernel memory. Check for overflows in all the places
doing math on user controlled buffers.
Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/qib/qib_user_sdma.c | 33 ++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
--- a/drivers/infiniband/hw/qib/qib_user_sdma.c
+++ b/drivers/infiniband/hw/qib/qib_user_sdma.c
@@ -607,7 +607,7 @@ done:
/*
* How many pages in this iovec element?
*/
-static int qib_user_sdma_num_pages(const struct iovec *iov)
+static size_t qib_user_sdma_num_pages(const struct iovec *iov)
{
const unsigned long addr = (unsigned long) iov->iov_base;
const unsigned long len = iov->iov_len;
@@ -663,7 +663,7 @@ static void qib_user_sdma_free_pkt_frag(
static int qib_user_sdma_pin_pages(const struct qib_devdata *dd,
struct qib_user_sdma_queue *pq,
struct qib_user_sdma_pkt *pkt,
- unsigned long addr, int tlen, int npages)
+ unsigned long addr, int tlen, size_t npages)
{
struct page *pages[8];
int i, j;
@@ -727,7 +727,7 @@ static int qib_user_sdma_pin_pkt(const s
unsigned long idx;
for (idx = 0; idx < niov; idx++) {
- const int npages = qib_user_sdma_num_pages(iov + idx);
+ const size_t npages = qib_user_sdma_num_pages(iov + idx);
const unsigned long addr = (unsigned long) iov[idx].iov_base;
ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr,
@@ -829,8 +829,8 @@ static int qib_user_sdma_queue_pkts(cons
unsigned pktnw;
unsigned pktnwc;
int nfrags = 0;
- int npages = 0;
- int bytes_togo = 0;
+ size_t npages = 0;
+ size_t bytes_togo = 0;
int tiddma = 0;
int cfur;
@@ -890,7 +890,11 @@ static int qib_user_sdma_queue_pkts(cons
npages += qib_user_sdma_num_pages(&iov[idx]);
- bytes_togo += slen;
+ if (check_add_overflow(bytes_togo, slen, &bytes_togo) ||
+ bytes_togo > type_max(typeof(pkt->bytes_togo))) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
pktnwc += slen >> 2;
idx++;
nfrags++;
@@ -909,8 +913,7 @@ static int qib_user_sdma_queue_pkts(cons
}
if (frag_size) {
- int tidsmsize, n;
- size_t pktsize;
+ size_t tidsmsize, n, pktsize, sz, addrlimit;
n = npages*((2*PAGE_SIZE/frag_size)+1);
pktsize = struct_size(pkt, addr, n);
@@ -928,14 +931,24 @@ static int qib_user_sdma_queue_pkts(cons
else
tidsmsize = 0;
- pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL);
+ if (check_add_overflow(pktsize, tidsmsize, &sz)) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
+ pkt = kmalloc(sz, GFP_KERNEL);
if (!pkt) {
ret = -ENOMEM;
goto free_pbc;
}
pkt->largepkt = 1;
pkt->frag_size = frag_size;
- pkt->addrlimit = n + ARRAY_SIZE(pkt->addr);
+ if (check_add_overflow(n, ARRAY_SIZE(pkt->addr),
+ &addrlimit) ||
+ addrlimit > type_max(typeof(pkt->addrlimit))) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
+ pkt->addrlimit = addrlimit;
if (tiddma) {
char *tidsm = (char *)pkt + pktsize;
next prev parent reply other threads:[~2021-11-10 18:44 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 18:43 [PATCH 4.4 00/19] 4.4.292-rc1 review Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 01/19] scsi: core: Put LLD module refcnt after SCSI device is released Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 02/19] ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 03/19] net: hso: register netdev later to avoid a race condition Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 04/19] IB/qib: Use struct_size() helper Greg Kroah-Hartman
2021-11-10 18:43 ` Greg Kroah-Hartman [this message]
2021-11-10 18:43 ` [PATCH 4.4 06/19] usb: gadget: Mark USB_FSL_QE broken on 64-bit Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 07/19] usb-storage: Add compatibility quirk flags for iODD 2531/2541 Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 08/19] printk/console: Allow to disable console output by using console="" or console=null Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 09/19] usb: hso: fix error handling code of hso_create_net_device Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 10/19] isofs: Fix out of bound access for corrupted isofs image Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 11/19] comedi: dt9812: fix DMA buffers on stack Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 12/19] comedi: ni_usb6501: fix NULL-deref in command paths Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 13/19] staging: comedi: drivers: replace le16_to_cpu() with usb_endpoint_maxp() Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 14/19] comedi: vmk80xx: fix transfer-buffer overflows Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 15/19] comedi: vmk80xx: fix bulk-buffer overflow Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 16/19] comedi: vmk80xx: fix bulk and interrupt message timeouts Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 17/19] staging: r8712u: fix control-message timeout Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 18/19] staging: rtl8192u: fix control-message timeouts Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.4 19/19] rsi: fix control-message timeout Greg Kroah-Hartman
2021-11-11 16:41 ` [PATCH 4.4 00/19] 4.4.292-rc1 review Pavel Machek
2021-11-11 18:44 ` Naresh Kamboju
2021-11-11 19:06 ` Shuah Khan
2021-11-12 0:57 ` Guenter Roeck
2021-11-12 15:40 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211110182001.427313108@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=ivansprundel@ioactive.com \
--cc=jgg@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mike.marciniszyn@cornelisnetworks.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox