Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752773AbbDBLIE (ORCPT ); Thu, 2 Apr 2015 07:08:04 -0400 Received: from mail-am1on0069.outbound.protection.outlook.com ([157.56.112.69]:52768 "EHLO emea01-am1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750703AbbDBLIB (ORCPT ); Thu, 2 Apr 2015 07:08:01 -0400 X-Greylist: delayed 881 seconds by postgrey-1.27 at vger.kernel.org; Thu, 02 Apr 2015 07:08:00 EDT From: Shachar Raindel To: Yann Droneaud CC: "oss-security@lists.openwall.com" , " (linux-rdma@vger.kernel.org)" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Topic: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Index: AQHQbSyEAQwf8AzEREiGaKM63FVWmJ05imaQ Date: Thu, 2 Apr 2015 10:52:52 +0000 Deferred-Delivery: Thu, 2 Apr 2015 10:52:38 +0000 Message-ID: References: <1427969085.17020.5.camel@opteya.com> In-Reply-To: <1427969085.17020.5.camel@opteya.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [193.47.165.251] authentication-results: opteya.com; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM3PR05MB0936; x-microsoft-antispam-prvs: x-forefront-antispam-report: BMV:1;SFV:NSPM;SFS:(10009020)(6009001)(13464003)(164054003)(51704005)(377454003)(110136001)(46102003)(76576001)(92566002)(2656002)(87936001)(40100003)(122556002)(19580405001)(19580395003)(50986999)(54356999)(76176999)(86362001)(2900100001)(230783001)(74316001)(2950100001)(102836002)(66066001)(62966003)(106116001)(33656002)(77156002);DIR:OUT;SFP:1101;SCL:1;SRVR:AM3PR05MB0936;H:AM3PR05MB0935.eurprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(5002010);SRVR:AM3PR05MB0936;BCL:0;PCL:0;RULEID:;SRVR:AM3PR05MB0936; x-forefront-prvs: 0534947130 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2015 10:53:12.0060 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM3PR05MB0936 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id t32B8BXS008967 Content-Length: 1481 Lines: 47 Hi, > -----Original Message----- > From: Yann Droneaud [mailto:ydroneaud@opteya.com] > Sent: Thursday, April 02, 2015 1:05 PM > To: Shachar Raindel > Cc: oss-security@lists.openwall.com; > (linux-rdma@vger.kernel.org); linux-kernel@vger.kernel.org; > stable@vger.kernel.org > Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected > physical memory access > > Hi, > > Le mercredi 18 mars 2015 à 17:39 +0000, Shachar Raindel a écrit : > > Hi, > > > > + /* > > + * If the combination of the addr and size requested for this > memory > > + * region causes an integer overflow, return error. > > + */ > > + if ((PAGE_ALIGN(addr + size) <= size) || > > + (PAGE_ALIGN(addr + size) <= addr)) > > + return ERR_PTR(-EINVAL); > > + > > Can access_ok() be used here ? > > if (!access_ok(writable ? VERIFY_WRITE : VERIFY_READ, > addr, size)) > return ERR_PTR(-EINVAL); > No, this will break the current ODP semantics. ODP allows the user to register memory that is not accessible yet. This is a critical design feature, as it allows avoiding holding a registration cache. Adding this check will break the behavior, forcing memory to be all accessible when registering an ODP MR. Thanks, --Shachar ????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m????????????I?