Received: by 10.192.165.156 with SMTP id m28csp218361imm; Tue, 17 Apr 2018 09:01:27 -0700 (PDT) X-Google-Smtp-Source: AIpwx4887s59iwxJslCzB2GG5xXpsRr+JCuaPZdn4RB1G0QhdOH0R+2MUvvnHxDzXIuEoVmzzvRl X-Received: by 10.101.96.65 with SMTP id b1mr2295752pgv.340.1523980887712; Tue, 17 Apr 2018 09:01:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523980887; cv=none; d=google.com; s=arc-20160816; b=ME83aDAdH/HNaqXFo8xZ4Msr+pDmDnwclaQ0wrkfdvpBm32ifbxVvAKDSiYNjzJmxi MmceTOWyLBXJm4aqpHyaj8ASB9p37/mZpppov2slyaiiVIVmn+xg6DLzvlgvJ4h3cXBe ltiHPgAUpKE/5ax7BgdSGgCvgVA2o1Np8X1oPNkF1qc0l5XOSWkAMj8yY3PAn3pBhTy9 GbtZF/Rkc2t+kE9abtYdI7DhP5xHLTImrCkXMl9OH+PX/VS+Z6C/N2pmYNhJPHoQb3fI TI541XioCeoh2Iv1KwsgqGEbXKev9IpFmGt69iTiKRdi3lB8skziJXvv0cuVEc29S+oC D9aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Kw5cA1gWJrlkO1yIoR1V4brWJ0RbxcHYvp4TcqcsCBI=; b=nE6lpektnLQe1oWyaEBnwxhnV3XwSP8TVk/TPiOKaJyichakeq3NQzb/HHj9LYhQJu u/0i7kHrYvZIkkuNKjebiUXUY1gkVtnp/mw9lMG/CECESHtyyXsQ/7yBezHW7rLdW/xY LeTAB8kBvqg9xDNS4bVNCgmLL9kp+QdmEKcb4YLQbZaZQfNryJKpnurFNda7nhwlTw+d NyEuPbEXkRU3//WlKtM46IQcAqA6uwjzK2RJCb+FPLmGn3ev3OmgaZHDjXCsE6xIkRsL Xa504L8ndDPlsdbNs6QGSFQ65CoxQpbqlG5JFeJmW7AurLroAvrl6I9VjP0V5CwyD0Cp 40nQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g15-v6si1666020pln.526.2018.04.17.09.01.13; Tue, 17 Apr 2018 09:01:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752824AbeDQQAD (ORCPT + 99 others); Tue, 17 Apr 2018 12:00:03 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59974 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751836AbeDQP77 (ORCPT ); Tue, 17 Apr 2018 11:59:59 -0400 Received: from localhost (unknown [46.44.180.42]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 12FC3D6A; Tue, 17 Apr 2018 15:59:58 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Rob Gardner , Jonathan Helman , Linus Torvalds , "David S. Miller" Subject: [PATCH 4.16 10/68] [PATCH] sparc64: Properly range check DAX completion index Date: Tue, 17 Apr 2018 17:57:23 +0200 Message-Id: <20180417155749.752137992@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180417155749.341779147@linuxfoundation.org> References: <20180417155749.341779147@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Rob Gardner [ Upstream commit 49d7006d9f01d435661d03bbea3db4c33935b3d8 ] Each Oracle DAX CCB has a corresponding completion area, and the required number of areas must fit within a previously allocated array of completion areas beginning at the requested index. Since the completion area index is specified by a file offset, a user can pass arbitrary values, including negative numbers. So the index must be thoroughly range checked to prevent access to addresses outside the bounds of the allocated completion area array. The index cannot be negative, and it cannot exceed the total array size, less the number of CCBs requested. The old code did not check for negative values and was off by one on the upper bound. Signed-off-by: Rob Gardner Signed-off-by: Jonathan Helman Reported-by: Linus Torvalds Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/sbus/char/oradax.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/sbus/char/oradax.c +++ b/drivers/sbus/char/oradax.c @@ -880,7 +880,7 @@ static int dax_ccb_exec(struct dax_ctx * dax_dbg("args: ccb_buf_len=%ld, idx=%d", count, idx); /* for given index and length, verify ca_buf range exists */ - if (idx + nccbs >= DAX_CA_ELEMS) { + if (idx < 0 || idx > (DAX_CA_ELEMS - nccbs)) { ctx->result.exec.status = DAX_SUBMIT_ERR_NO_CA_AVAIL; return 0; }