Received: by 10.213.65.68 with SMTP id h4csp473640imn;
        Tue, 13 Mar 2018 10:09:24 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtN2YNU3VH9NV2lcZx885U901Bc0a6i5shj0jsdObtX9u3omZTQ+f8CddSqelTHREozDVmo
X-Received: by 2002:a17:902:7482:: with SMTP id h2-v6mr1230022pll.264.1520960964625;
        Tue, 13 Mar 2018 10:09:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520960964; cv=none;
        d=google.com; s=arc-20160816;
        b=HQ1TgYK3145qx2CShPFUIiF+319UyEBA4oCRJJrMyI5F09/VrTwNZA06ccxUCTzg5T
         pPVRT9cUrzmFTLJ+huIqFWJBgYMtljzfhb/8Q+mfbqbvW0akXaG3Bl5yJuWTldQmzBNc
         UruYesepjRbOxsMESNqxgT9KgxzJZCvofZUylE7NbLEhMGahYQVthNh0Bp9AUA4dw3Gn
         c30Ds0U9TSzzFDj7P3f5yzY0y51Vdfzn1f5jXIKPreeeYWxdr+fm6hdGPBS/LXULX2LI
         ud1qQLxsizLjhe6+UlnY5IREqS4EuChvfZzeAINx6X5ifdYn/ZuWaPQA9D/EHymIHo40
         SXWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=2qXlx6umLFNkmH2X4Ud1qQLZ1R/auvVZp19FkiS+Eao=;
        b=Kk7K8QxRKV+sGKgwFUQ7qE0/+MvBHBCHHYm/CsjY0jONvEGLzMrjA6jl060XXLLCtL
         UEoAvkktaRSIgVbh5RDKT4Et6o76iPvqsL5jCNBeLHWSnMG9piTAazPuUFWD7juVylpC
         J2sJUce0eTxfkzeTwT1vZz+l4LJ71mMoc/+UdogCvb40SNSnuSdVqGG4gG7Z6BTdYQW5
         y7OmN6fjSWL4MATbpfhGHCCZc9KrkkKLU11nE3SCt8TveRPbHD6NBgHkHAGdM0jBqP52
         iJ2xxrZ/yoVpNDH0Y1uoApOKQSI24pDqYlaSTGNIOljFK68aSrpeat9HZA4Er8buurcm
         mB4g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n25si308758pgc.87.2018.03.13.10.09.10;
        Tue, 13 Mar 2018 10:09:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932462AbeCMP1o (ORCPT <rfc822;plaguedbypenguins@gmail.com>
        + 99 others); Tue, 13 Mar 2018 11:27:44 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:57252 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932277AbeCMP1m (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 11:27:42 -0400
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id C0D4B11A6;
        Tue, 13 Mar 2018 15:27:41 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com,
        Leon Romanovsky <leonro@mellanox.com>,
        Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.15 001/146] RDMA/ucma: Limit possible option size
Date:   Tue, 13 Mar 2018 16:22:48 +0100
Message-Id: <20180313152320.681030850@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180313152320.439085687@linuxfoundation.org>
References: <20180313152320.439085687@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream.

Users of ucma are supposed to provide size of option level,
in most paths it is supposed to be equal to u8 or u16, but
it is not the case for the IB path record, where it can be
multiple of struct ib_path_rec_data.

This patch takes simplest possible approach and prevents providing
values more than possible to allocate.

Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com
Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1293,6 +1293,9 @@ static ssize_t ucma_set_option(struct uc
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+	if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
+		return -EINVAL;
+
 	optval = memdup_user((void __user *) (unsigned long) cmd.optval,
 			     cmd.optlen);
 	if (IS_ERR(optval)) {