Received: by 10.213.65.68 with SMTP id h4csp440093imn;
        Tue, 13 Mar 2018 09:06:51 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtkxFLzOBknLTvS1uEkFj+tCMammUJ8JfCnHcaDzZ8HLmK55KjeajyeL7BZRu6NxF+rQDbM
X-Received: by 10.99.109.198 with SMTP id i189mr917169pgc.328.1520957211703;
        Tue, 13 Mar 2018 09:06:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520957211; cv=none;
        d=google.com; s=arc-20160816;
        b=g2XiicmX1eqPg5OuMvueB8D2OiZ5Gl62TAe/yeTErEd8i0AETEhmb6leOn/HhgfHvK
         dXgNYq8ZcHglMXhQd2I5N4mgADuk4D19ccVT/80vkaZYnnUTbdGOw0siMdGbWMWiyKU5
         tx9snkBsuz5+YGbM0bPs0Xgu69pcpegBZ5uOqf/Q1DnPXMpwBTD0rfC8BxdGaZ1LIZ2O
         3OR6K9VfpXSAIMJwdYDo8/hVnesqyY4B+uOWCa2aVyp27FNzteG7rBHRV2rtWUsM3rQY
         qfwJt2kD8t44GWlY3qFFdNWOrzFW0cZFktqK7uVkV0APvyXsYs4f3jp88A4xhkNgV5ST
         dCyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=rd7Oklne1YZhKYHHmZjIGoiR7d4gEQU1A39qUCYuF6g=;
        b=ICnlz2D/ltvI7WgE5MSK/6ljqmRMlgkInFTQXBT88KPGerB0ATzue/YJouxwevI/ue
         PegoORYyOGlWtQYVjSji5RR4fpm5/K+JIXoSvnvZemkY8Z2UjxitR9/A3HLSFybsQsdf
         Lc17Mxg82AGill6ft0PoRYXqGldSAUtykXrM5rXBHUqjVShvw0LARnegqfZs8E2ofeR9
         lZo1oIVQBh0sn5nK5MYfDjYMdsGhzn7xEvs4r9/LD6z0cxNeOooC0/aMpPgK8QBSdklr
         Z/4fGAd2KRX3TSEHUHtymVReeMPdk5f+rFerUXA2oheLC1c7Rn20tK76owpKcb04aWIX
         gkgg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e13si339033pff.8.2018.03.13.09.06.37;
        Tue, 13 Mar 2018 09:06:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934481AbeCMQDF (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Tue, 13 Mar 2018 12:03:05 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:33812 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932439AbeCMPhH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 11:37:07 -0400
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id A07111238;
        Tue, 13 Mar 2018 15:37:06 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com,
        Leon Romanovsky <leonro@mellanox.com>,
        Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.14 046/140] RDMA/ucma: Limit possible option size
Date:   Tue, 13 Mar 2018 16:24:09 +0100
Message-Id: <20180313152501.348471825@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180313152458.201155692@linuxfoundation.org>
References: <20180313152458.201155692@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream.

Users of ucma are supposed to provide size of option level,
in most paths it is supposed to be equal to u8 or u16, but
it is not the case for the IB path record, where it can be
multiple of struct ib_path_rec_data.

This patch takes simplest possible approach and prevents providing
values more than possible to allocate.

Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com
Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/core/ucma.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1293,6 +1293,9 @@ static ssize_t ucma_set_option(struct uc
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+	if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
+		return -EINVAL;
+
 	optval = memdup_user((void __user *) (unsigned long) cmd.optval,
 			     cmd.optlen);
 	if (IS_ERR(optval)) {