Received: by 10.213.65.68 with SMTP id h4csp463710imn; Fri, 16 Mar 2018 08:31:24 -0700 (PDT) X-Google-Smtp-Source: AG47ELuMbKbjRtn3hjE+CGddyBkkE0bZ3RPM7hoxlEEBC6dRg5arW7QFIOqeh/eWNLspVqCjJztQ X-Received: by 10.101.101.4 with SMTP id x4mr1792755pgv.275.1521214284396; Fri, 16 Mar 2018 08:31:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521214284; cv=none; d=google.com; s=arc-20160816; b=MoHRWfGM2dYZyR2I7U/+jMk8EhhECj8GO4jOENAk+tZMfMZpLJyseT5bdZpj8BmfH4 A5wm2nX689boD+L1RK14hOSqe5GtU3z7FY2Gc5vBItYfNxWj+TKWa8H4vuNhPjfwpSHG oeRyLyb28uH5jkvmBwQ5KxfMho9H2mlHJHVtfe8CMnowkjFF4TNto38FQUlv9w0Y7Zcc +b5Dcma61mnXRYeukHGppoS3DRSFLiiYsdWzmDB70uy3qfeDfn2fRJbNR3XBuf5cZ57g 22TEc6i2LSzWuYr8+q+JZZ0ZGC5MZ+pLR50dzo3q6EKd0eU7uziFFG6mkKGEXKuXYv9J XNJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=bEgoJxB04wUDdoGYnceTwNagjwapa1oC5skLfuP0tXo=; b=k8XJnCubRIWV5/H15VHmqZZT3MUH+4A6cvmgTV002pb7XWZrMCUetvpHQXEeS7uJWs 2aiy8rjiMRpEQUbQJzq3L2yh7jbUJ3dMPAOO0JI5C5tXBgu50zuzYwXB1EVPYoJTEtRq jNTSaE2Q+TJAUs2lRU+KGGH4TsXGDOBgEL3I0Q+IcU9xNeQFFY7rHB7BE3YdxFGgn3tz IfYbVREItaNpM3H5dIbDKni4bozaB47fI4NhThOYXEnMnp4rrr+3OtumTcHr4SVuvz6X mzcUkGTYdWTvTp25fN+5WjvKEGCUNVW9iPcBSwlKzI63Omq5SoAeI/O8fXBOy37sD1i6 faEg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t9-v6si6270886plq.321.2018.03.16.08.31.09; Fri, 16 Mar 2018 08:31:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933190AbeCPPaA (ORCPT + 99 others); Fri, 16 Mar 2018 11:30:00 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:36294 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933156AbeCPP35 (ORCPT ); Fri, 16 Mar 2018 11:29:57 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id C8987FB0; Fri, 16 Mar 2018 15:29:56 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzkaller , Noa Osherovich , Yishai Hadas , Leon Romanovsky , Doug Ledford Subject: [PATCH 4.9 03/86] RDMA/mlx5: Fix integer overflow while resizing CQ Date: Fri, 16 Mar 2018 16:22:26 +0100 Message-Id: <20180316152317.443634666@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180316152317.167709497@linuxfoundation.org> References: <20180316152317.167709497@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Leon Romanovsky commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream. The user can provide very large cqe_size which will cause to integer overflow as it can be seen in the following UBSAN warning: ======================================================================= UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 signed integer overflow: 64870 * 65536 cannot be represented in type 'int' CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 Call Trace: dump_stack+0xde/0x164 ? dma_virt_map_sg+0x22c/0x22c ubsan_epilogue+0xe/0x81 handle_overflow+0x1f3/0x251 ? __ubsan_handle_negate_overflow+0x19b/0x19b ? lock_acquire+0x440/0x440 mlx5_ib_resize_cq+0x17e7/0x1e40 ? cyc2ns_read_end+0x10/0x10 ? native_read_msr_safe+0x6c/0x9b ? cyc2ns_read_end+0x10/0x10 ? mlx5_ib_modify_cq+0x220/0x220 ? sched_clock_cpu+0x18/0x200 ? lookup_get_idr_uobject+0x200/0x200 ? rdma_lookup_get_uobject+0x145/0x2f0 ib_uverbs_resize_cq+0x207/0x3e0 ? ib_uverbs_ex_create_cq+0x250/0x250 ib_uverbs_write+0x7f9/0xef0 ? cyc2ns_read_end+0x10/0x10 ? print_irqtrace_events+0x280/0x280 ? ib_uverbs_ex_create_cq+0x250/0x250 ? uverbs_devnode+0x110/0x110 ? sched_clock_cpu+0x18/0x200 ? do_raw_spin_trylock+0x100/0x100 ? __lru_cache_add+0x16e/0x290 __vfs_write+0x10d/0x700 ? uverbs_devnode+0x110/0x110 ? kernel_read+0x170/0x170 ? sched_clock_cpu+0x18/0x200 ? security_file_permission+0x93/0x260 vfs_write+0x1b0/0x550 SyS_write+0xc7/0x1a0 ? SyS_read+0x1a0/0x1a0 ? trace_hardirqs_on_thunk+0x1a/0x1c entry_SYSCALL_64_fastpath+0x1e/0x8b RIP: 0033:0x433549 RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 ======================================================================= Cc: syzkaller Cc: # 3.13 Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") Reported-by: Noa Osherovich Reviewed-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/hw/mlx5/cq.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/drivers/infiniband/hw/mlx5/cq.c +++ b/drivers/infiniband/hw/mlx5/cq.c @@ -1117,7 +1117,12 @@ static int resize_user(struct mlx5_ib_de if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem);