Received: by 10.213.65.68 with SMTP id h4csp533045imn; Fri, 16 Mar 2018 10:37:32 -0700 (PDT) X-Google-Smtp-Source: AG47ELt6d3ReF27cEentmv+DBJrU5vwujPgKrbLsxdosKssd1/avBjgxyRE1mdoqCTmSebNpZhyo X-Received: by 10.99.124.29 with SMTP id x29mr2020745pgc.402.1521221852853; Fri, 16 Mar 2018 10:37:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521221852; cv=none; d=google.com; s=arc-20160816; b=PiMpDSoQPgigiNHZduTltZYkyW0J4aYgXEI4qObBe9OCvOgi4/Ff/gQQWf4JeDuKyG bC8f2em1K2YDoGjgeh1D3SZywyZz0uQz2lN36MYi+rkixQUGtuMZ/D8fyKQiGlAjGXiq hdjo1UUzJ54IK+mykidR+eURIPl1cboWk4dCzRocsQLnyCa7Em0PwCCQjdC4fF1esOTO /q6ZuAQ6kO/nV9sa0gDojRXNAuPld7ZpAsw1ZUsCI2MRoVm5jZT0c9JqnvV/14rrJnUL WIh1gdg0u1wnGxGYnOyD1J1XItMhpx2arO5C2JrOiSXWL3l9G+de2fM+9vJysz4Ef+y+ 4WOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=MnK9T/4VQvzcgEiRc2s0AjXE03V/eaTJuKgOBJjYE8M=; b=b/++RVMJT49eZ4eEtVvDlY5eN9JqgHXYmqWyaW5zPX22eNd1eLz9l810eUemcPuu85 T3uFCPylLzxlMd0qUzAS60jskFdkzPMxLDQQzkecq1zUCnLaTa2/AuqE8F8jLGOOFo0c l775NZDdrUlvdPI6lj+ItJli2V1wfw0+Wy/0n6OE8J7tuRnU0h6ADjXcwiJP+2Mexs3G lhgu2wh73yzMo620wbj1/xtM5/bxlrs87utGJ98ttH/m9jZX9lSB4dov1XSEv1xwjLaA kKpa4TE7ZM2jcGAcP9chFIXB9X81NtFAgZ0Stn6vu1RmEeTz1SBjJk3c6NrSy/6QGuwg 1jXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c14si5080562pgu.341.2018.03.16.10.37.18; Fri, 16 Mar 2018 10:37:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753705AbeCPRgI (ORCPT + 99 others); Fri, 16 Mar 2018 13:36:08 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33968 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753340AbeCPP0s (ORCPT ); Fri, 16 Mar 2018 11:26:48 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 77E7B1235; Fri, 16 Mar 2018 15:26:47 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com, Leon Romanovsky , Doug Ledford Subject: [PATCH 4.4 01/63] RDMA/ucma: Limit possible option size Date: Fri, 16 Mar 2018 16:22:33 +0100 Message-Id: <20180316152300.134957368@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180316152259.964532775@linuxfoundation.org> References: <20180316152259.964532775@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Leon Romanovsky commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. Users of ucma are supposed to provide size of option level, in most paths it is supposed to be equal to u8 or u16, but it is not the case for the IB path record, where it can be multiple of struct ib_path_rec_data. This patch takes simplest possible approach and prevents providing values more than possible to allocate. Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1274,6 +1274,9 @@ static ssize_t ucma_set_option(struct uc if (IS_ERR(ctx)) return PTR_ERR(ctx); + if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) + return -EINVAL; + optval = memdup_user((void __user *) (unsigned long) cmd.optval, cmd.optlen); if (IS_ERR(optval)) {