From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Ilja Van Sprundel <ivansprundel@ioactive.com>,
Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>,
Jason Gunthorpe <jgg@nvidia.com>
Subject: [PATCH 4.9 09/22] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
Date: Wed, 10 Nov 2021 19:43:16 +0100 [thread overview]
Message-ID: <20211110182001.880130769@linuxfoundation.org> (raw)
In-Reply-To: <20211110182001.579561273@linuxfoundation.org>
From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
commit d39bf40e55e666b5905fdbd46a0dced030ce87be upstream.
Overflowing either addrlimit or bytes_togo can allow userspace to trigger
a buffer overflow of kernel memory. Check for overflows in all the places
doing math on user controlled buffers.
Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/qib/qib_user_sdma.c | 33 ++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
--- a/drivers/infiniband/hw/qib/qib_user_sdma.c
+++ b/drivers/infiniband/hw/qib/qib_user_sdma.c
@@ -607,7 +607,7 @@ done:
/*
* How many pages in this iovec element?
*/
-static int qib_user_sdma_num_pages(const struct iovec *iov)
+static size_t qib_user_sdma_num_pages(const struct iovec *iov)
{
const unsigned long addr = (unsigned long) iov->iov_base;
const unsigned long len = iov->iov_len;
@@ -663,7 +663,7 @@ static void qib_user_sdma_free_pkt_frag(
static int qib_user_sdma_pin_pages(const struct qib_devdata *dd,
struct qib_user_sdma_queue *pq,
struct qib_user_sdma_pkt *pkt,
- unsigned long addr, int tlen, int npages)
+ unsigned long addr, int tlen, size_t npages)
{
struct page *pages[8];
int i, j;
@@ -727,7 +727,7 @@ static int qib_user_sdma_pin_pkt(const s
unsigned long idx;
for (idx = 0; idx < niov; idx++) {
- const int npages = qib_user_sdma_num_pages(iov + idx);
+ const size_t npages = qib_user_sdma_num_pages(iov + idx);
const unsigned long addr = (unsigned long) iov[idx].iov_base;
ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr,
@@ -829,8 +829,8 @@ static int qib_user_sdma_queue_pkts(cons
unsigned pktnw;
unsigned pktnwc;
int nfrags = 0;
- int npages = 0;
- int bytes_togo = 0;
+ size_t npages = 0;
+ size_t bytes_togo = 0;
int tiddma = 0;
int cfur;
@@ -890,7 +890,11 @@ static int qib_user_sdma_queue_pkts(cons
npages += qib_user_sdma_num_pages(&iov[idx]);
- bytes_togo += slen;
+ if (check_add_overflow(bytes_togo, slen, &bytes_togo) ||
+ bytes_togo > type_max(typeof(pkt->bytes_togo))) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
pktnwc += slen >> 2;
idx++;
nfrags++;
@@ -909,8 +913,7 @@ static int qib_user_sdma_queue_pkts(cons
}
if (frag_size) {
- int tidsmsize, n;
- size_t pktsize;
+ size_t tidsmsize, n, pktsize, sz, addrlimit;
n = npages*((2*PAGE_SIZE/frag_size)+1);
pktsize = struct_size(pkt, addr, n);
@@ -928,14 +931,24 @@ static int qib_user_sdma_queue_pkts(cons
else
tidsmsize = 0;
- pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL);
+ if (check_add_overflow(pktsize, tidsmsize, &sz)) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
+ pkt = kmalloc(sz, GFP_KERNEL);
if (!pkt) {
ret = -ENOMEM;
goto free_pbc;
}
pkt->largepkt = 1;
pkt->frag_size = frag_size;
- pkt->addrlimit = n + ARRAY_SIZE(pkt->addr);
+ if (check_add_overflow(n, ARRAY_SIZE(pkt->addr),
+ &addrlimit) ||
+ addrlimit > type_max(typeof(pkt->addrlimit))) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
+ pkt->addrlimit = addrlimit;
if (tiddma) {
char *tidsm = (char *)pkt + pktsize;
next prev parent reply other threads:[~2021-11-10 18:46 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 18:43 [PATCH 4.9 00/22] 4.9.290-rc1 review Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 01/22] scsi: core: Put LLD module refcnt after SCSI device is released Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 02/22] mm/zsmalloc: Prepare to variable MAX_PHYSMEM_BITS Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 03/22] arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 04/22] ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 05/22] net: hso: register netdev later to avoid a race condition Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 06/22] usb: hso: fix error handling code of hso_create_net_device Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 07/22] Revert "x86/kvm: fix vcpu-id indexed array sizes" Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 08/22] IB/qib: Use struct_size() helper Greg Kroah-Hartman
2021-11-10 18:43 ` Greg Kroah-Hartman [this message]
2021-11-10 18:43 ` [PATCH 4.9 10/22] usb: gadget: Mark USB_FSL_QE broken on 64-bit Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 11/22] usb: musb: Balance list entry in musb_gadget_queue Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 12/22] usb-storage: Add compatibility quirk flags for iODD 2531/2541 Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 13/22] printk/console: Allow to disable console output by using console="" or console=null Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 14/22] isofs: Fix out of bound access for corrupted isofs image Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 15/22] comedi: dt9812: fix DMA buffers on stack Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 16/22] comedi: ni_usb6501: fix NULL-deref in command paths Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 17/22] comedi: vmk80xx: fix transfer-buffer overflows Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 18/22] comedi: vmk80xx: fix bulk-buffer overflow Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 19/22] comedi: vmk80xx: fix bulk and interrupt message timeouts Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 20/22] staging: r8712u: fix control-message timeout Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 21/22] staging: rtl8192u: fix control-message timeouts Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 22/22] rsi: fix control-message timeout Greg Kroah-Hartman
2021-11-10 19:26 ` [PATCH 4.9 00/22] 4.9.290-rc1 review Florian Fainelli
2021-11-11 18:28 ` Naresh Kamboju
2021-11-11 19:06 ` Shuah Khan
2021-11-12 0:58 ` Guenter Roeck
2021-11-12 15:40 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211110182001.880130769@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dennis.dalessandro@cornelisnetworks.com \
--cc=ivansprundel@ioactive.com \
--cc=jgg@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mike.marciniszyn@cornelisnetworks.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.