Received: by 10.213.65.68 with SMTP id h4csp525131imn;
        Fri, 16 Mar 2018 10:22:46 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvN1beMltVJG6x1MYjXnaObforA42YubjF3zyoDZcmuQs2nYt/8XUNcofF5VdoYvo7VPCfK
X-Received: by 10.99.100.6 with SMTP id y6mr2057343pgb.254.1521220966183;
        Fri, 16 Mar 2018 10:22:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521220966; cv=none;
        d=google.com; s=arc-20160816;
        b=XcrZXLgAOHZZY1BC8zG7sroaLGFgx0/FbSHU2fFXUo5Z8T/LOA8/Ug/skgdbdxSasm
         ydZE4fKYxsMMh00CmogIFzlebdOVvO1uAeqHJl07wvovN3l/DvoQ+VLFAIBbNIaz9n3n
         s+aYROuSV6PKlrxKc8ahU42mzHEr5zBTVq7xIvi2FM1HEmH1KkPYdGD0fZBaQFANAV20
         Uk0tVpY38en9e1qK+88uzMP+K0rGbM7YG4pkFVeqGTYYb8oaiI39Km3LG1urFyXYC2uk
         eBOACNIr8jBdIboD/UdzlQnK0Cv9t3GmZEwDxO7glS9PJxKpI0Ct5oNERNfabLsDpb5C
         uiTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=EsOdeNCXXWgc2SC1624osEl2Hnuvnnz4KCFO+U8i1c4=;
        b=qMnOIYqYIu3aW/sLewTVZ1ZQKLjFVI+A2k9eMrTGUvtcrYEvuykSZTiLKK55fX2OV7
         OhzQj3Q2TUttNjXvpJpSB7w3opXkKfeZwF97aWo5rRAB1KlUA6sGpHtu4FNTokLCH1ds
         PevGWxULx9iG4bXdlXLRfpJ6sHvKpDIlHUEtYuAeD/vbbD8RRdOdSkAIYNYQUAAR0sjU
         p1to0xXvQIlWH2RZzMJGm31x9QGcwSN62+h9CmwI9VtRPsAJmBIGxrL3tZutmfjZCn1V
         LMs2TKo2rIOghRabrZ7VCT6mGLGhjvRSg8v7/fA6hXJYlxS4kFjDbki/rRqoAyr+xgNN
         A6Og==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p66si4864781pfk.100.2018.03.16.10.22.31;
        Fri, 16 Mar 2018 10:22:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753184AbeCPRU0 (ORCPT <rfc822;carmate383@gmail.com>
        + 99 others); Fri, 16 Mar 2018 13:20:26 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:36270 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753539AbeCPP3v (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 16 Mar 2018 11:29:51 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 31ECCFB0;
        Fri, 16 Mar 2018 15:29:51 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com,
        Leon Romanovsky <leonro@mellanox.com>,
        Doug Ledford <dledford@redhat.com>
Subject: [PATCH 4.9 01/86] RDMA/ucma: Limit possible option size
Date:   Fri, 16 Mar 2018 16:22:24 +0100
Message-Id: <20180316152317.275463084@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180316152317.167709497@linuxfoundation.org>
References: <20180316152317.167709497@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream.

Users of ucma are supposed to provide size of option level,
in most paths it is supposed to be equal to u8 or u16, but
it is not the case for the IB path record, where it can be
multiple of struct ib_path_rec_data.

This patch takes simplest possible approach and prevents providing
values more than possible to allocate.

Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com
Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1275,6 +1275,9 @@ static ssize_t ucma_set_option(struct uc
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+	if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
+		return -EINVAL;
+
 	optval = memdup_user((void __user *) (unsigned long) cmd.optval,
 			     cmd.optlen);
 	if (IS_ERR(optval)) {