Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2263472imm; Thu, 7 Jun 2018 07:54:51 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKmuKYaTfa0QEJBu/NnQ1xHD8ndzh+oOORw3yUbPEnnFvCbm6RH0zkdk2adHOTNTO+k2ld9 X-Received: by 2002:a17:902:6b04:: with SMTP id o4-v6mr2389786plk.101.1528383291145; Thu, 07 Jun 2018 07:54:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528383291; cv=none; d=google.com; s=arc-20160816; b=cn1cvewf46WKmDRM+4I/7hWMvgYpp0IPv2tS2eIAaq85nCnytLyaDyOhF+g0TZ7v4o m5LV1YrxpnP+DBgYIBZAftkUu5P7EsWuovqIMnHpZo+30e8mGVnd5iTu7Ouc//dry/it hWaLeWsq6KL6rf2BhByN6zOtUY0xPYsidaSMqlA8U0qFtc9N1SogV6rfd70vd5aj83I4 dJkTd4DjnQ69w8QcpkQpDMnNukdwmcCFw+or3IC5/7XYPPfrkGYdz/+T6fh/BgCBtPEn o8PBIYg8Ou95Aj/B2vwre0gfBqXE4ToKwoMoAuSD/MViXPVr40pF7azp2b+ffChnsNas 7BhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=FrcYD4p3YcmXin1Hap1ZAYcgEoMmBnReruvlndu19MQ=; b=WAa7EUIcy07xGN0AHJFUNmkZfwyce3qxt62fvlryzh/9GFmPGOanj+0/GDeDeKrNq/ PGc+soXBqGlCDiKzdwHq/K7uyzuZOGecsUxEDzvYPhBlt6LMQdhUZpIQKc0LBdDpGPhT GLhQzltWp6QlTUXse/H+s0zT2OMJ2DrinPQ2+C32AtT1wMSV99jJEkiqPJwI8izZre0P U/fSGyU89xIp//Ro9A6q+7MgIhqERnEIP6D5CptpmDHcPVoVl6neIpkWbkeF8vLb4i9A Xm2Gptlc/M3tgAciXRAfZ8YsXCVMnL+ZIIbdzvp56rgNaxwO1gTwQu3fh2fiYSkfb6te +G/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k2-v6si21883119pgp.200.2018.06.07.07.54.33; Thu, 07 Jun 2018 07:54:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935201AbeFGOwX (ORCPT + 99 others); Thu, 7 Jun 2018 10:52:23 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:40909 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932674AbeFGOwT (ORCPT ); Thu, 7 Jun 2018 10:52:19 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbQ-0005Zj-AN; Thu, 07 Jun 2018 15:09:24 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvbC-0003EI-HW; Thu, 07 Jun 2018 15:09:10 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Doug Ledford" , "syzkaller" , "Leon Romanovsky" , "Boris Pismenny" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 347/410] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Boris Pismenny commit c2b37f76485f073f020e60b5954b6dc4e55f693c upstream. This patch validates user provided input to prevent integer overflow due to integer manipulation in the mlx5_ib_create_srq function. Cc: syzkaller Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Boris Pismenny Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/infiniband/hw/mlx5/srq.c | 15 +++++++++------ include/linux/mlx5/driver.h | 4 ++-- 2 files changed, 11 insertions(+), 8 deletions(-) --- a/drivers/infiniband/hw/mlx5/srq.c +++ b/drivers/infiniband/hw/mlx5/srq.c @@ -234,8 +234,8 @@ struct ib_srq *mlx5_ib_create_srq(struct { struct mlx5_ib_dev *dev = to_mdev(pd->device); struct mlx5_ib_srq *srq; - int desc_size; - int buf_size; + size_t desc_size; + size_t buf_size; int err; struct mlx5_create_srq_mbox_in *uninitialized_var(in); int uninitialized_var(inlen); @@ -261,15 +261,18 @@ struct ib_srq *mlx5_ib_create_srq(struct desc_size = sizeof(struct mlx5_wqe_srq_next_seg) + srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg); + if (desc_size == 0 || srq->msrq.max_gs > desc_size) + return ERR_PTR(-EINVAL); desc_size = roundup_pow_of_two(desc_size); - desc_size = max_t(int, 32, desc_size); + desc_size = max_t(size_t, 32, desc_size); + if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) + return ERR_PTR(-EINVAL); srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) / sizeof(struct mlx5_wqe_data_seg); srq->msrq.wqe_shift = ilog2(desc_size); buf_size = srq->msrq.max * desc_size; - mlx5_ib_dbg(dev, "desc_size 0x%x, req wr 0x%x, srq size 0x%x, max_gs 0x%x, max_avail_gather 0x%x\n", - desc_size, init_attr->attr.max_wr, srq->msrq.max, srq->msrq.max_gs, - srq->msrq.max_avail_gather); + if (buf_size < desc_size) + return ERR_PTR(-EINVAL); if (pd->uobject) err = create_srq_user(pd, srq, &in, udata, buf_size, &inlen); --- a/include/linux/mlx5/driver.h +++ b/include/linux/mlx5/driver.h @@ -432,8 +432,8 @@ struct mlx5_core_mr { struct mlx5_core_srq { u32 srqn; int max; - int max_gs; - int max_avail_gather; + size_t max_gs; + size_t max_avail_gather; int wqe_shift; void (*event) (struct mlx5_core_srq *, enum mlx5_event);