One 4.0 RDMA change:

- Fix for exploitable integer overflow in uverbs interface. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABCAAGBQJVHXfzAAoJEENa44ZhAt0hRzoP/00LTWa/XN9lyaF55vPwTvI1 AeTAIomgiazCqPNS5/gy+V0qaG9rwMD40K1+zWZJDQazswioG7CA9uA0aEBusJke bwoAIVW3ozBC/+e0BOdQENuVKm49a9Vjar2UJUPNQzwGvbyTTQy+7+3JZZ9ZYP1p rkP3/E7ql/qhDhfWLWrj81/mZI5WXQbkgW7F/vRS5Q+ltosE8DJUNFC1QhW0bo7y LmcTM72C/sBeVorTsYT2q03aA5YyAyHf3EzdebRUn1WpH3B/w/3QOHLRynEjyWxo 7QgWtdqKIdy9z9CzD/KFdSJowtByjcZHutdS5v3GL2IL80XEbILwh9X+7sE9q9RU FFDl5JLNkxjQ3fF+wCk4NMpjoFxeTa42YDyYVyOhc3WXITtnVacAkPh+62//tG4D Z/Mcoa0fcuQRDfT6kW5jVQf0BSTcgNuv+fVt2d50Kase2IU5f96G54zl2WnqTvQR aVvr2E+O5jfPJEmKyjjNWurkE3pUARSzN8aoRlxrWdqrrBIS6elJqWFmA4ZChuvS ITLt6ErWNyyLD6WtdnDBu70jPhX6w9sAbyF3QtBB0LYo5jWLW4qLdTrDkVU2bI+D 64ZK4PdMXaI4+AiJY0QlgnusQ0nmgWu1FjkIiOVEBH/DDaraxET9f716cpr1V9Qn WzPu/hNmXclaePHC3yvy =KygA -----END PGP SIGNATURE----- Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband Pull infiniband/rdma fix from Roland Dreier: "Fix for exploitable integer overflow in uverbs interface" * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic
2015-04-02 13:35:58 -07:00 · 2015-04-02 13:35:58 -07:00 · 06459fc02f
parent 0a4812798f 8494057ab5
commit 06459fc02f
1 changed files with 8 additions and 0 deletions
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	if (dmasync)
 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);

+	/*
+	 * If the combination of the addr and size requested for this memory
+	 * region causes an integer overflow, return error.
+	 */
+	if ((PAGE_ALIGN(addr + size) <= size) ||
+	    (PAGE_ALIGN(addr + size) <= addr))
+		return ERR_PTR(-EINVAL);
+
 	if (!can_do_mlock())
 		return ERR_PTR(-EPERM);