From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Fabian Yamaguchi" <fabs@goesec.de>,
"Mike Marciniszyn" <mike.marciniszyn@intel.com>,
"Dennis Dalessandro" <dennis.dalessandro@intel.com>,
"Roland Dreier" <roland@purestorage.com>,
"Nico Golde" <nico@ngolde.de>
Subject: [PATCH 3.2 49/94] IB/ipath: Fix potential buffer overrun in sending diag packet routine
Date: Mon, 28 Apr 2014 02:11:22 +0100 [thread overview]
Message-ID: <lsq.1398647482.204418996@decadent.org.uk> (raw)
In-Reply-To: <lsq.1398647481.453080089@decadent.org.uk>
3.2.58-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Dalessandro <dennis.dalessandro@intel.com>
commit a2cb0eb8a64adb29a99fd864013de957028f36ae upstream.
Guard against a potential buffer overrun. The size to read from the
user is passed in, and due to the padding that needs to be taken into
account, as well as the place holder for the ICRC it is possible to
overflow the 32bit value which would cause more data to be copied from
user space than is allocated in the buffer.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/ipath/ipath_diag.c | 66 ++++++++++++--------------------
1 file changed, 25 insertions(+), 41 deletions(-)
--- a/drivers/infiniband/hw/ipath/ipath_diag.c
+++ b/drivers/infiniband/hw/ipath/ipath_diag.c
@@ -326,7 +326,7 @@ static ssize_t ipath_diagpkt_write(struc
size_t count, loff_t *off)
{
u32 __iomem *piobuf;
- u32 plen, clen, pbufn;
+ u32 plen, pbufn, maxlen_reserve;
struct ipath_diag_pkt odp;
struct ipath_diag_xpkt dp;
u32 *tmpbuf = NULL;
@@ -335,51 +335,29 @@ static ssize_t ipath_diagpkt_write(struc
u64 val;
u32 l_state, lt_state; /* LinkState, LinkTrainingState */
- if (count < sizeof(odp)) {
- ret = -EINVAL;
- goto bail;
- }
if (count == sizeof(dp)) {
if (copy_from_user(&dp, data, sizeof(dp))) {
ret = -EFAULT;
goto bail;
}
- } else if (copy_from_user(&odp, data, sizeof(odp))) {
- ret = -EFAULT;
+ } else if (count == sizeof(odp)) {
+ if (copy_from_user(&odp, data, sizeof(odp))) {
+ ret = -EFAULT;
+ goto bail;
+ }
+ } else {
+ ret = -EINVAL;
goto bail;
}
- /*
- * Due to padding/alignment issues (lessened with new struct)
- * the old and new structs are the same length. We need to
- * disambiguate them, which we can do because odp.len has never
- * been less than the total of LRH+BTH+DETH so far, while
- * dp.unit (same offset) unit is unlikely to get that high.
- * Similarly, dp.data, the pointer to user at the same offset
- * as odp.unit, is almost certainly at least one (512byte)page
- * "above" NULL. The if-block below can be omitted if compatibility
- * between a new driver and older diagnostic code is unimportant.
- * compatibility the other direction (new diags, old driver) is
- * handled in the diagnostic code, with a warning.
- */
- if (dp.unit >= 20 && dp.data < 512) {
- /* very probable version mismatch. Fix it up */
- memcpy(&odp, &dp, sizeof(odp));
- /* We got a legacy dp, copy elements to dp */
- dp.unit = odp.unit;
- dp.data = odp.data;
- dp.len = odp.len;
- dp.pbc_wd = 0; /* Indicate we need to compute PBC wd */
- }
-
/* send count must be an exact number of dwords */
if (dp.len & 3) {
ret = -EINVAL;
goto bail;
}
- clen = dp.len >> 2;
+ plen = dp.len >> 2;
dd = ipath_lookup(dp.unit);
if (!dd || !(dd->ipath_flags & IPATH_PRESENT) ||
@@ -422,16 +400,22 @@ static ssize_t ipath_diagpkt_write(struc
goto bail;
}
- /* need total length before first word written */
- /* +1 word is for the qword padding */
- plen = sizeof(u32) + dp.len;
-
- if ((plen + 4) > dd->ipath_ibmaxlen) {
+ /*
+ * need total length before first word written, plus 2 Dwords. One Dword
+ * is for padding so we get the full user data when not aligned on
+ * a word boundary. The other Dword is to make sure we have room for the
+ * ICRC which gets tacked on later.
+ */
+ maxlen_reserve = 2 * sizeof(u32);
+ if (dp.len > dd->ipath_ibmaxlen - maxlen_reserve) {
ipath_dbg("Pkt len 0x%x > ibmaxlen %x\n",
- plen - 4, dd->ipath_ibmaxlen);
+ dp.len, dd->ipath_ibmaxlen);
ret = -EINVAL;
- goto bail; /* before writing pbc */
+ goto bail;
}
+
+ plen = sizeof(u32) + dp.len;
+
tmpbuf = vmalloc(plen);
if (!tmpbuf) {
dev_info(&dd->pcidev->dev, "Unable to allocate tmp buffer, "
@@ -473,11 +457,11 @@ static ssize_t ipath_diagpkt_write(struc
*/
if (dd->ipath_flags & IPATH_PIO_FLUSH_WC) {
ipath_flush_wc();
- __iowrite32_copy(piobuf + 2, tmpbuf, clen - 1);
+ __iowrite32_copy(piobuf + 2, tmpbuf, plen - 1);
ipath_flush_wc();
- __raw_writel(tmpbuf[clen - 1], piobuf + clen + 1);
+ __raw_writel(tmpbuf[plen - 1], piobuf + plen + 1);
} else
- __iowrite32_copy(piobuf + 2, tmpbuf, clen);
+ __iowrite32_copy(piobuf + 2, tmpbuf, plen);
ipath_flush_wc();
next prev parent reply other threads:[~2014-04-28 1:11 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-28 1:11 [PATCH 3.2 00/94] 3.2.58-rc1 review Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 15/94] rds: prevent dereference of a NULL device in rds_iw_laddr_check Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 18/94] sparc32: fix build failure for arch_jump_label_transform Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 07/94] ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 22/94] drm/i915: quirk invert brightness for Acer Aspire 5336 Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 08/94] vhost: fix total length when packets are too short Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 02/94] bridge: multicast: add sanity check for query source addresses Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 13/94] isdnloop: Validate NUL-terminated strings from user Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 27/94] framebuffer: fix cfb_copyarea Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 03/94] net: unix: non blocking recvmsg() should not return -EINTR Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 19/94] sparc64: don't treat 64-bit syscall return codes as 32-bit Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 26/94] matroxfb: restore the registers M_ACCESS and M_PITCH Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 23/94] w1: fix w1_send_slave dropping a slave id Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 12/94] netlink: don't compare the nul-termination in nla_strcmp Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 05/94] net: socket: error on a negative msg_namelen Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 11/94] ipv6: some ipv6 statistic counters failed to disable bh Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 20/94] ipv6: don't set DST_NOCOUNT for remotely added routes Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 24/94] ARM: mm: introduce present, faulting entries for PAGE_NONE Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 17/94] Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines." Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 21/94] drm/i915: inverted brightness quirk for Acer Aspire 4736Z Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 14/94] isdnloop: several buffer overflows Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 25/94] ARM: 7954/1: mm: remove remaining domain support from ARMv6 Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 09/94] vhost: validate vhost_get_vq_desc return value Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 01/94] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 04/94] vlan: Set correct source MAC address with TX VLAN offload enabled Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 06/94] ipv6: Avoid unnecessary temporary addresses being generated Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 10/94] xen-netback: remove pointless clause from if statement Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 16/94] sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on Simba-bridges Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 43/94] jffs2: Fix segmentation fault found in stress test Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 44/94] jffs2: Fix crash due to truncation of csize Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 64/94] nfsd: notify_change needs elevated write count Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 83/94] ALSA: ice1712: Fix boundary checks in PCM pointer ops Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 65/94] drm/i915/tv: fix gen4 composite s-video tv-out Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 28/94] mach64: use unaligned access Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 52/94] mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy error Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 34/94] tty: Set correct tty name in 'active' sysfs attribute Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 32/94] usb: dwc3: fix wrong bit mask in dwc3_event_devt Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 59/94] gpio: mxs: Allow for recursive enable_irq_wake() call Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 89/94] Char: ipmi_bt_sm, fix infinite loop Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 42/94] jffs2: avoid soft-lockup in jffs2_reserve_space_gc() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 76/94] ocfs2: dlm: fix lock migration crash Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 82/94] wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 38/94] rtlwifi: rtl8192se: Fix too long disable of IRQs Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 84/94] lib/percpu_counter.c: fix bad percpu counter state during suspend Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 37/94] blktrace: fix accounting of partially completed requests Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 74/94] drm/radeon: call drm_edid_to_eld when we update the edid Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 70/94] IB/mthca: Return an error on ib_copy_to_udata() failure Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 73/94] drm/vmwgfx: correct fb_fix_screeninfo.line_length Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 61/94] nfsd4: buffer-length check for SUPPATTR_EXCLCREAT Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 75/94] sh: fix format string bug in stack tracer Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 86/94] x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 29/94] mach64: fix cursor when character width is not a multiple of 8 pixels Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 47/94] ext4: fix partial cluster handling for bigalloc file systems Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 93/94] powernow-k6: reorder frequencies Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 50/94] IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 85/94] b43: Fix machine check error due to improper access of B43_MMIO_PSM_PHY_HDR Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 71/94] IB/ehca: Returns an error on ib_copy_to_udata() failure Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 91/94] powernow-k6: disable cache when changing frequency Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 79/94] iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 94/94] Revert "alpha: fix broken network checksum" Ben Hutchings
2014-04-28 1:11 ` Ben Hutchings [this message]
2014-04-28 1:11 ` [PATCH 3.2 45/94] iwlwifi: dvm: take mutex when sending SYNC BT config command Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 53/94] mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy error Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 54/94] mfd: max8925: " Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 81/94] mm: hugetlb: fix softlockup when a large number of hugepages are freed Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 36/94] usb: gadget: atmel_usba: fix crashed during stopping when DEBUG is enabled Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 80/94] mm: try_to_unmap_cluster() should lock_page() before mlocking Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 33/94] [media] media: gspca: sn9c20x: add ID for Genius Look 1320 V2 Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 90/94] selinux: correctly label /proc inodes in use before the policy is loaded Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 62/94] nfsd4: session needs room for following op to error out Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 46/94] virtio_balloon: don't softlockup on huge balloon changes Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 72/94] reiserfs: fix race in readdir Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 68/94] MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 87/94] target/tcm_fc: Fix use-after-free of ft_tpg Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 30/94] tgafb: fix data copying Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 92/94] powernow-k6: correctly initialize default parameters Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 66/94] dm thin: fix dangling bio in process_deferred_bios error path Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 40/94] Btrfs: skip submitting barrier for missing device Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 88/94] drivers: hv: additional switch to use mb() instead of smp_mb() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 78/94] ocfs2: do not put bh when buffer_uptodate failed Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 57/94] audit: convert PPIDs to the inital PID namespace Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 60/94] x86, hyperv: Bypass the timer_irq_works() check Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 39/94] staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 67/94] nfsd4: fix setclientid encode size Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 58/94] Btrfs: fix deadlock with nested trans handles Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 56/94] pid: get pid_t ppid of task in init_pid_ns Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 48/94] ath9k: fix ready time of the multicast buffer queue Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 41/94] jffs2: remove from wait queue after schedule() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 35/94] [media] uvcvideo: Do not use usb_set_interface on bulk EP Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 55/94] mfd: 88pm860x: Fix possible NULL pointer dereference on i2c_new_dummy error Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 77/94] ocfs2: dlm: fix recovery hung Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 31/94] hvc: ensure hvc_init is only ever called once in hvc_console.c Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 63/94] nfsd: Add fh_{want,drop}_write() Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 69/94] ALSA: hda - Enable beep for ASUS 1015E Ben Hutchings
2014-04-28 1:11 ` [PATCH 3.2 51/94] mfd: Include all drivers in subsystem menu Ben Hutchings
2014-04-28 15:05 ` [PATCH 3.2 00/94] 3.2.58-rc1 review Ben Hutchings
2014-04-29 4:01 ` Guenter Roeck
2014-04-30 12:21 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1398647482.204418996@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=dennis.dalessandro@intel.com \
--cc=fabs@goesec.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mike.marciniszyn@intel.com \
--cc=nico@ngolde.de \
--cc=roland@purestorage.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox