Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3545795pxj; Mon, 24 May 2021 09:05:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwajcC4ExtWSconBFo++oT6e/ZQPQQh7z8enJej416vBtu7ulvLfcsGYS8MjDmtHD+wNe+Z X-Received: by 2002:a05:6e02:ca7:: with SMTP id 7mr14960651ilg.210.1621872310258; Mon, 24 May 2021 09:05:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621872310; cv=none; d=google.com; s=arc-20160816; b=AcOCeHjAX5CiiOVBqmuFfZb4IYRhrrbNqT5TvflYTPKxaQlrwWBUU7tGHEowmdqYsT dI6N5PSMV3G9Vw2eM2hJqsO3o7oAyR2WJdUlbnNuhPw0Kdg3sGkbHkLM7p/Jo/+ri6qV 5xQc4jDfTkQ6l+KWbAqXoMth1LlVD+FXj0r8CyJ5zbrEQbHOJW+JRtsLTc9fYOOx3XMm JSQ8RIPEH54BoGN680LchkyEBkV/DWhfTxXH1QLvz0LBBnW4GFXJwb+8MOnuM91tOYGQ 1e/dK0uUJV9ObudoCl27ci7a9FJZ3jd9HeRHjllweSD6CLNAyudr1tU0kaQKhJnwHpb7 p2qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rOxgJBSQApzVf70z3fDm7zAZfnIY6TVwa7J0hQrjLKw=; b=ioa4+UB2GZKX9pNdrkDyig3u0EggVzOiqZ8wXf5l/+031+xd2aisIywvA5eOBpaRIF qNQgJwzDY2+pE4VKw8X1lqKwruEHQwhPDS52hozmesfHTGGJ9BWKMDCkqRQ60FdWd6sJ oAi9hU1h4vKHgR+LM0F+zZMBuRmx+FpxSpwpH1b+kmvNPGllfYO4hpnGvbFtTFG5/nUJ jKwITpWDVfFUt/6dT/p6gJUEzCZ9v+gr43b0sMUy2tcGem8ZZKv6tS6L6C/wkIAwWA7n NK/UEELCgAe/mRiTzru3QZm/W7fEtqdvSChOwJwFy7lddffnQ2Kt2cQC1QIONaHzq+L8 0sIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RvpJcJ8Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k64si14352424iof.43.2021.05.24.09.04.49; Mon, 24 May 2021 09:05:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=RvpJcJ8Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236335AbhEXQEN (ORCPT + 99 others); Mon, 24 May 2021 12:04:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:43814 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234769AbhEXP50 (ORCPT ); Mon, 24 May 2021 11:57:26 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B33D461952; Mon, 24 May 2021 15:43:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621871016; bh=g4WznfC1RMud/RVC4tEowcseFD//o/MAWnIuwiNWWSA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RvpJcJ8QvGn/KzgY8DDk77QNT3g5kGJQ/p8Is2qKawvIxPoZVeFnNGLqxv68R/Owj 3PmH7x/3e3XExwnjvMHES6lujEt/WiA3iwqZ0dJSSxQhOFu+gJwYoWfc9+f1n7cfkM XV1qprxreLgQ8VVEO3f1TX3WLvpuolY4AUjd/Xvo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Gunthorpe , Leon Romanovsky , Sasha Levin Subject: [PATCH 5.12 007/127] RDMA/core: Prevent divide-by-zero error triggered by the user Date: Mon, 24 May 2021 17:25:24 +0200 Message-Id: <20210524152335.108504796@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210524152334.857620285@linuxfoundation.org> References: <20210524152334.857620285@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Leon Romanovsky [ Upstream commit 54d87913f147a983589923c7f651f97de9af5be1 ] The user_entry_size is supplied by the user and later used as a denominator to calculate number of entries. The zero supplied by the user will trigger the following divide-by-zero error: divide error: 0000 [#1] SMP KASAN PTI CPU: 4 PID: 497 Comm: c_repro Not tainted 5.13.0-rc1+ #281 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_GID_TABLE+0x1b1/0x510 Code: 87 59 03 00 00 e8 9f ab 1e ff 48 8d bd a8 00 00 00 e8 d3 70 41 ff 44 0f b7 b5 a8 00 00 00 e8 86 ab 1e ff 31 d2 4c 89 f0 31 ff <49> f7 f5 48 89 d6 48 89 54 24 10 48 89 04 24 e8 1b ad 1e ff 48 8b RSP: 0018:ffff88810416f828 EFLAGS: 00010246 RAX: 0000000000000008 RBX: 1ffff1102082df09 RCX: ffffffff82183f3d RDX: 0000000000000000 RSI: ffff888105f2da00 RDI: 0000000000000000 RBP: ffff88810416fa98 R08: 0000000000000001 R09: ffffed102082df5f R10: ffff88810416faf7 R11: ffffed102082df5e R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000008 R15: ffff88810416faf0 FS: 00007f5715efa740(0000) GS:ffff88811a700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000840 CR3: 000000010c2e0001 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? ib_uverbs_handler_UVERBS_METHOD_INFO_HANDLES+0x4b0/0x4b0 ib_uverbs_cmd_verbs+0x1546/0x1940 ib_uverbs_ioctl+0x186/0x240 __x64_sys_ioctl+0x38a/0x1220 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 9f85cbe50aa0 ("RDMA/uverbs: Expose the new GID query API to user space") Link: https://lore.kernel.org/r/b971cc70a8b240a8b5eda33c99fa0558a0071be2.1620657876.git.leonro@nvidia.com Reviewed-by: Jason Gunthorpe Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin --- drivers/infiniband/core/uverbs_std_types_device.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/infiniband/core/uverbs_std_types_device.c b/drivers/infiniband/core/uverbs_std_types_device.c index 9ec6971056fa..a03021d94e11 100644 --- a/drivers/infiniband/core/uverbs_std_types_device.c +++ b/drivers/infiniband/core/uverbs_std_types_device.c @@ -331,6 +331,9 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QUERY_GID_TABLE)( if (ret) return ret; + if (!user_entry_size) + return -EINVAL; + max_entries = uverbs_attr_ptr_get_array_size( attrs, UVERBS_ATTR_QUERY_GID_TABLE_RESP_ENTRIES, user_entry_size); -- 2.30.2