Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2244908imm;
        Thu, 7 Jun 2018 07:37:42 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKmWhqBEdOJab02Jvd2X99t7jV+lGEOgREk632OJVPeiEZ2ll0F5W3wdhde5NytjqhiT961
X-Received: by 2002:a17:902:8486:: with SMTP id c6-v6mr2241031plo.283.1528382262758;
        Thu, 07 Jun 2018 07:37:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528382262; cv=none;
        d=google.com; s=arc-20160816;
        b=hvcIABYFw6wIQnAC7wJwv2PpYn8A76HT9KPPVQd3z/4f1xHqM8NaJkfcY6Egb2166O
         IZfjhv0gO9V3AQmxvWcga+fTi6srXaVpCYspkHA1lJmOBn3GCxLDxNVriFzLKP0r+s20
         ph8Y98t68rzHa8XoglJpdhsn3iCOO+tJZtFCWslDbGX/aw8OJKBs+sOZyvLYg6rUH2Ct
         d4xXXLQ2z026aJ5Qz2+I5cggsYFTLW6HmADUptJvreP+dOeWagOU5iMgL/tsbSLh5Tym
         +U0Z4rsDtGl6aN76AzO6vzhCr8Q65Q03qQ95YcA35y+lGVHqB6efzlpBkqthUCQY+acr
         kS2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=abb0VsNcoOCCfaQwSY7Rjj10C7+N9+pNkta9zbLhNRI=;
        b=uLpPYuXkRyD08bzLJK/SYYnS4mTs0Ov6fH4ajPIMoGNj500T8EURl745tXHFOjM/dH
         a2DdxMcOjkEni4tT7nmZ5Ofu4VZgGawPSNsbTEkApRj9jEDhMxbEYpO8UouSrEbpOlO8
         azcqyJd5ogLAQ2I1q7Vwc/e1Bpo0ESf1IaHY3+cWMyrNh4+yirFcu7I83go83kaNBh62
         c58mXP8OwW3kkGWorZ0/cB2cesdz88QBciZvr3hjhO0PQc2Lnc3iQmmeJi6BWJRbhUSO
         UxChK7vgzDA/RQFOaLj/iZzYYOp3DmVXdUSTXwF9Atn6j0vZEbLglSiwy3z+M26UzgVd
         RQww==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k185-v6si4158947pgc.468.2018.06.07.07.37.28;
        Thu, 07 Jun 2018 07:37:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934028AbeFGOfW (ORCPT <rfc822;chenhe.dev@gmail.com> + 99 others);
        Thu, 7 Jun 2018 10:35:22 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:40381 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S933817AbeFGOfU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Jun 2018 10:35:20 -0400
Received: from [148.252.241.226] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvbS-0005Zm-9S; Thu, 07 Jun 2018 15:09:26 +0100
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1fQvbB-0003CB-VJ; Thu, 07 Jun 2018 15:09:09 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com,
        "Doug Ledford" <dledford@redhat.com>,
        "Leon Romanovsky" <leonro@mellanox.com>
Date:   Thu, 07 Jun 2018 15:05:21 +0100
Message-ID: <lsq.1528380321.656879929@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 331/410] RDMA/ucma: Limit possible option size
In-Reply-To: <lsq.1528380320.647747352@decadent.org.uk>
X-SA-Exim-Connect-IP: 148.252.241.226
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.57-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream.

Users of ucma are supposed to provide size of option level,
in most paths it is supposed to be equal to u8 or u16, but
it is not the case for the IB path record, where it can be
multiple of struct ib_path_rec_data.

This patch takes simplest possible approach and prevents providing
values more than possible to allocate.

Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com
Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/ucma.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1187,6 +1187,9 @@ static ssize_t ucma_set_option(struct uc
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+	if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
+		return -EINVAL;
+
 	optval = memdup_user((void __user *) (unsigned long) cmd.optval,
 			     cmd.optlen);
 	if (IS_ERR(optval)) {