Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2358994imm; Mon, 28 May 2018 06:41:22 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoMIeXx0nn5cuoxoX9uMOwdNlT4/KsNrRN89keaHdVJ1JZhOFpNiENEOo8MDLDe15rXFStP X-Received: by 2002:a17:902:82cc:: with SMTP id u12-v6mr13548688plz.83.1527514882438; Mon, 28 May 2018 06:41:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527514882; cv=none; d=google.com; s=arc-20160816; b=Zp/uFovTyqpnRqclCMqlgx288dr0zb0hvUhsHuz+hGFCiQiGT1O4w5tzHNl3qmTPYZ +6GfIss4QvX/ydGkMdE88C4gwu3Olj4r7d/7tOnzPyvGIUcGoCWFpc8VZomxmXCpoCcU 5Nb9jt/W4Eu5OnYshMdwMFmjpAbBHAUtNYsrD+JJM56bp7xSVdOvKEMEM+d0ZvB82L1M XDMjc6+7eVJBxutat7elRl+v7mJvv34fHTUrYpW5cAaNYqhZkwPp/dhqxBr4IY7zdkC2 iSpE5dObvpCSdoT3+TBKV1vrzdK+aHxAPn0QQWrBb5dluTpZQHHeE2h60ddy5W2jpvnF zNzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=CFcqJQWR2Nujn7ea74sPqAvd9mxlNiy/Zyo8dmsdk4U=; b=B7aigadIEfWHN59C/tjRAv+VE0M1bquKSd4Ccc66r8rXaYa5TUetnt/IMh+qvNAXse /8kTkBvTKsA7ht26evIZLJbGcTal8z3zgA8mFV0nfmOZCy2V80TWc0dOdVtqAr8tpnzS 0Xhrb5Vzq7/16OfaN4+/Ey22d3/VoY0Bhq7A8Tl1Odem/n5ONzNNE5tmD6qG2nJ04juD LWWUAfQi1t3r+i3HG40tGdovRsiHICYweRV9Y6hiz+3j3jO4u+JDTNI3Jnfq6uBiUT1P g96phfOXJwWSJf6yYXOH7WQRkN67Dr86lClbbEY/LHM1oCBGjZDy5CH/orjrW3vsrBSR 40tA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1hurECT2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i64-v6si1695028pli.431.2018.05.28.06.41.07; Mon, 28 May 2018 06:41:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1hurECT2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S937672AbeE1Koi (ORCPT + 99 others); Mon, 28 May 2018 06:44:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:35272 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S937511AbeE1Koc (ORCPT ); Mon, 28 May 2018 06:44:32 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8F2A0204EE; Mon, 28 May 2018 10:44:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527504272; bh=VLarc4UKSDZioiFlWXnaDQym2wV4f1K87RLdlZIHuIs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1hurECT2BohElkmAo301bE6ijiKTVoXmsRMpGQt0kW41hgsVvmZZoezNGx5dLIlfA kkjLeItBlmnP65RH3TjfptQN0dS0Der9XL13CYx1Mdxx+MXYm/LqfKT9Bw4O0ulmWs YhyJCd+eBOkGGt91qyuKRDsCfLdloy+qw4+MA+N8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Matan Barak , Leon Romanovsky , Jason Gunthorpe , Sasha Levin Subject: [PATCH 4.14 078/496] IB/uverbs: Fix possible oops with duplicate ioctl attributes Date: Mon, 28 May 2018 11:57:43 +0200 Message-Id: <20180528100323.063680185@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100319.498712256@linuxfoundation.org> References: <20180528100319.498712256@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Matan Barak [ Upstream commit 4d39a959bc1f3d164b5a54147fdeb19f84b1ed58 ] If the same attribute is listed twice by the user in the ioctl attribute list then error unwind can cause the kernel to deref garbage. This happens when an object with WRITE access is sent twice. The second parse properly fails but corrupts the state required for the error unwind it triggers. Fixing this by making duplicates in the attribute list invalid. This is not something we need to support. The ioctl interface is currently recommended to be disabled in kConfig. Signed-off-by: Matan Barak Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/uverbs_ioctl.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/core/uverbs_ioctl.c +++ b/drivers/infiniband/core/uverbs_ioctl.c @@ -59,6 +59,9 @@ static int uverbs_process_attr(struct ib return 0; } + if (test_bit(attr_id, attr_bundle_h->valid_bitmap)) + return -EINVAL; + spec = &attr_spec_bucket->attrs[attr_id]; e = &elements[attr_id]; e->uattr = uattr_ptr;