Received: by 10.213.65.68 with SMTP id h4csp247094imn; Fri, 23 Mar 2018 03:51:55 -0700 (PDT) X-Google-Smtp-Source: AG47ELvkrOiqBfR1KABCp/oe+aCo2ZNkvTZUOt53NeDfzNJFQ06Kx6Ew7WqUXYLGfrfOQiknPCFj X-Received: by 10.98.245.7 with SMTP id n7mr6502169pfh.164.1521802315470; Fri, 23 Mar 2018 03:51:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521802315; cv=none; d=google.com; s=arc-20160816; b=g2K6v1qj9L8/CMNi6uluGWsgQuTutqUpdMn6S8pbfBRrG9JSTM6jqgaqRRNHFWTzbA X8vud0KfrQqW61PvWxrasd9y+NVuGpdkbOJ+44XbiqpXNwr72dTQNVlBo3efy8epJnA4 AMDbOi7dpqR17pQvn4P0lpEpbHyPSXUHxS6osJC7qIn2Imem0zZo5tNggV75nfsZs5vF zgrhE84snt48dlWSwgdmR7aOhLnlPoNdlXygkhubT6oB8l33+krOiX+aR0RtEwV/gOuZ 6N13RJgZJBZAotxW8DEHMp1yjXYhSqbI0B9I+Zla84euDeHzE0FAPHs0YBBi3DvzMmGV uNpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=BDOqnD1JQyzn0/AjcDAiOHABPF2fLnSAlLXfNy3q+Bs=; b=UkwHL1MKHRo04i7voKh1vM1227Rzhrauln2b207XZrsHzpm2Ow8UOVtGifcooph29q bznSDnTBVzxdXj6/FZCgL1dmKs9dYBNFo8llj1BMl0gMFBQwYY0a3/AjeNet+1jTZmpY 27KSwAn2aLcndKQQaDQIP7u0xzIPgd8gB+CdUo8oEKa0ZGbHsnzM8IBJzsnMcGwLC1wc 0jHx8lPxT55h6LsLo32XXY+1ur8Jok2OHh3H4o/GCUQ2Od2awRcNIDIe1VWgs9/Nk3ZL /8OPJeAQAg/b0V9dqyBWF5EeiI5o9TIKL9pJu56PP/93UPtFN0FFzfKRX050/xEDT1d5 +jVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l25si6423218pff.16.2018.03.23.03.51.40; Fri, 23 Mar 2018 03:51:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933385AbeCWKOu (ORCPT + 99 others); Fri, 23 Mar 2018 06:14:50 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:45366 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933345AbeCWKOq (ORCPT ); Fri, 23 Mar 2018 06:14:46 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 9076B119C; Fri, 23 Mar 2018 10:14:45 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vlad Tsyrklevich , Doug Ledford , Sasha Levin Subject: [PATCH 4.4 44/97] infiniband/uverbs: Fix integer overflows Date: Fri, 23 Mar 2018 10:54:31 +0100 Message-Id: <20180323094200.109336079@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180323094157.535925724@linuxfoundation.org> References: <20180323094157.535925724@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vlad Tsyrklevich [ Upstream commit 4f7f4dcfff2c19debbcdbcc861c325610a15e0c5 ] The 'num_sge' variable is verfied to be smaller than the 'sge_count' variable; however, since both are user-controlled it's possible to cause an integer overflow for the kmalloc multiply on 32-bit platforms (num_sge and sge_count are both defined u32). By crafting an input that causes a smaller-than-expected allocation it's possible to write controlled data out-of-bounds. Signed-off-by: Vlad Tsyrklevich Signed-off-by: Doug Ledford Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/uverbs_cmd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -2436,9 +2436,13 @@ ssize_t ib_uverbs_destroy_qp(struct ib_u static void *alloc_wr(size_t wr_size, __u32 num_sge) { + if (num_sge >= (U32_MAX - ALIGN(wr_size, sizeof (struct ib_sge))) / + sizeof (struct ib_sge)) + return NULL; + return kmalloc(ALIGN(wr_size, sizeof (struct ib_sge)) + num_sge * sizeof (struct ib_sge), GFP_KERNEL); -}; +} ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file, struct ib_device *ib_dev, @@ -2664,6 +2668,13 @@ static struct ib_recv_wr *ib_uverbs_unma ret = -EINVAL; goto err; } + + if (user_wr->num_sge >= + (U32_MAX - ALIGN(sizeof *next, sizeof (struct ib_sge))) / + sizeof (struct ib_sge)) { + ret = -EINVAL; + goto err; + } next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) + user_wr->num_sge * sizeof (struct ib_sge),