Received: by 10.213.65.68 with SMTP id h4csp473559imn; Tue, 13 Mar 2018 10:09:13 -0700 (PDT) X-Google-Smtp-Source: AG47ELuhgeikxqiMgBaipK3krGAwieb2yK7LmRKDwjRyhE0RROT+uDjWdIDxTCtfmDQDA4FVv36v X-Received: by 10.98.59.218 with SMTP id w87mr1303271pfj.37.1520960953602; Tue, 13 Mar 2018 10:09:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520960953; cv=none; d=google.com; s=arc-20160816; b=F6pm9j1NpidfFLrzse8BEx8KTTKyVg3mHVS4i4DVGWxOYCIcOUnAbl8VmqrBbcigsr uDbiqsKZuY/63mvyhF+nty07/Rbm5I9C3ak8fgCCKFbKizpJOG21WLuetdd1J+13x09F z6IVDza1OOT6GNQHVoi6ZGYZ31fkIsBSj7TkyReF3FYg5BDgfbPNB6vAt/zeli1VZW/F //J1NrrMdsG8TulYGXUlgak33WuNwMm3TD3qX7CMILjtNRPWFBPM+q/dxIpkIgb0zRpT gR7BR60ywOBHhxbri4SXkufHqVKxG/1oBxmts14d2OfYt667J4XCj1WRPr5uptPKydg1 /SVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=N0sRt2BcfslHn2tk0IHucoGW3Xo9RjdgmAvtcmfjrLo=; b=06OykxWhBjPlt70UH8u+371fTGL3l//b5HKA86rqx7rMCiswcYqpwVD6k6nzuADyp2 M2E2F68ola+8N9LdmOyTy8nQZoDuqH2+o+zawktlH7tBb9JQRaVkBFjypjw0S/XGMTa3 oMXSX5XV58G+XYCSCKdznGsTWXchQ+qxFt+drC1+QcSBIWm7ZS3q9kb7QyWVkLNLc/5z gY5Hr+OlNi3HoSTmkyB0wEcvosg66J4KxAgkoZOKg3ZwnmGHFHVTkWxB5Ql/jHoF4TeU hpaS/z4JYy5q7HPqbmFw9e6jyUd+zHOSSOxag6H6E11oOy577XgfAOhcKQ0kWKlrJv0d b4pw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p9si431637pff.235.2018.03.13.10.08.58; Tue, 13 Mar 2018 10:09:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932565AbeCMP16 (ORCPT + 99 others); Tue, 13 Mar 2018 11:27:58 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:57326 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932528AbeCMP1y (ORCPT ); Tue, 13 Mar 2018 11:27:54 -0400 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8BD6011CD; Tue, 13 Mar 2018 15:27:53 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzkaller , Noa Osherovich , Yishai Hadas , Leon Romanovsky , Doug Ledford Subject: [PATCH 4.15 003/146] RDMA/mlx5: Fix integer overflow while resizing CQ Date: Tue, 13 Mar 2018 16:22:50 +0100 Message-Id: <20180313152320.841470041@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180313152320.439085687@linuxfoundation.org> References: <20180313152320.439085687@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Leon Romanovsky commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream. The user can provide very large cqe_size which will cause to integer overflow as it can be seen in the following UBSAN warning: ======================================================================= UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 signed integer overflow: 64870 * 65536 cannot be represented in type 'int' CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 Call Trace: dump_stack+0xde/0x164 ? dma_virt_map_sg+0x22c/0x22c ubsan_epilogue+0xe/0x81 handle_overflow+0x1f3/0x251 ? __ubsan_handle_negate_overflow+0x19b/0x19b ? lock_acquire+0x440/0x440 mlx5_ib_resize_cq+0x17e7/0x1e40 ? cyc2ns_read_end+0x10/0x10 ? native_read_msr_safe+0x6c/0x9b ? cyc2ns_read_end+0x10/0x10 ? mlx5_ib_modify_cq+0x220/0x220 ? sched_clock_cpu+0x18/0x200 ? lookup_get_idr_uobject+0x200/0x200 ? rdma_lookup_get_uobject+0x145/0x2f0 ib_uverbs_resize_cq+0x207/0x3e0 ? ib_uverbs_ex_create_cq+0x250/0x250 ib_uverbs_write+0x7f9/0xef0 ? cyc2ns_read_end+0x10/0x10 ? print_irqtrace_events+0x280/0x280 ? ib_uverbs_ex_create_cq+0x250/0x250 ? uverbs_devnode+0x110/0x110 ? sched_clock_cpu+0x18/0x200 ? do_raw_spin_trylock+0x100/0x100 ? __lru_cache_add+0x16e/0x290 __vfs_write+0x10d/0x700 ? uverbs_devnode+0x110/0x110 ? kernel_read+0x170/0x170 ? sched_clock_cpu+0x18/0x200 ? security_file_permission+0x93/0x260 vfs_write+0x1b0/0x550 SyS_write+0xc7/0x1a0 ? SyS_read+0x1a0/0x1a0 ? trace_hardirqs_on_thunk+0x1a/0x1c entry_SYSCALL_64_fastpath+0x1e/0x8b RIP: 0033:0x433549 RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 ======================================================================= Cc: syzkaller Cc: # 3.13 Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") Reported-by: Noa Osherovich Reviewed-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/mlx5/cq.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/infiniband/hw/mlx5/cq.c +++ b/drivers/infiniband/hw/mlx5/cq.c @@ -1177,7 +1177,12 @@ static int resize_user(struct mlx5_ib_de if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem);