|
|
f4f6e57 |
From: Shachar Raindel <raindel@mellanox.com>
|
|
|
f4f6e57 |
Date: Sun, 4 Jan 2015 18:30:32 +0200
|
|
|
f4f6e57 |
Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address
|
|
|
f4f6e57 |
arithmetic
|
|
|
f4f6e57 |
|
|
|
f4f6e57 |
Properly verify that the resulting page aligned end address is larger
|
|
|
f4f6e57 |
than both the start address and the length of the memory area
|
|
|
f4f6e57 |
requested.
|
|
|
f4f6e57 |
|
|
|
f4f6e57 |
Both the start and length arguments for ib_umem_get are controlled by
|
|
|
f4f6e57 |
the user. A misbehaving user can provide values which will cause an
|
|
|
f4f6e57 |
integer overflow when calculating the page aligned end address.
|
|
|
f4f6e57 |
|
|
|
f4f6e57 |
This overflow can cause also miscalculation of the number of pages
|
|
|
f4f6e57 |
mapped, and additional logic issues.
|
|
|
f4f6e57 |
|
|
|
f4f6e57 |
Issue: 470602
|
|
|
f4f6e57 |
Change-Id: Iee88441db454af291fc5a376009d840603398d23
|
|
|
f4f6e57 |
Signed-off-by: Shachar Raindel <raindel@mellanox.com>
|
|
|
f4f6e57 |
Signed-off-by: Jack Morgenstein <jackm@mellanox.com>
|
|
|
f4f6e57 |
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
|
|
|
f4f6e57 |
---
|
|
|
f4f6e57 |
drivers/infiniband/core/umem.c | 8 ++++++++
|
|
|
f4f6e57 |
1 file changed, 8 insertions(+)
|
|
|
f4f6e57 |
|
|
|
f4f6e57 |
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
|
|
|
f692dd0 |
index aec7a6aa2951..8c014b5dab4c 100644
|
|
|
f4f6e57 |
--- a/drivers/infiniband/core/umem.c
|
|
|
f4f6e57 |
+++ b/drivers/infiniband/core/umem.c
|
|
|
f692dd0 |
@@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
|
|
|
f4f6e57 |
if (dmasync)
|
|
|
f4f6e57 |
dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
|
|
|
f4f6e57 |
|
|
|
f4f6e57 |
+ /*
|
|
|
f4f6e57 |
+ * If the combination of the addr and size requested for this memory
|
|
|
f4f6e57 |
+ * region causes an integer overflow, return error.
|
|
|
f4f6e57 |
+ */
|
|
|
f4f6e57 |
+ if ((PAGE_ALIGN(addr + size) <= size) ||
|
|
|
f4f6e57 |
+ (PAGE_ALIGN(addr + size) <= addr))
|
|
|
f4f6e57 |
+ return ERR_PTR(-EINVAL);
|
|
|
f4f6e57 |
+
|
|
|
f4f6e57 |
if (!can_do_mlock())
|
|
|
f4f6e57 |
return ERR_PTR(-EPERM);
|
|
|
f4f6e57 |
|
|
|
f4f6e57 |
--
|
|
|
f4f6e57 |
2.1.0
|
|
|
f4f6e57 |
|