All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH RESEND 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access
@ 2015-04-08 20:02 Yann Droneaud
  2015-04-08 20:02 ` [PATCH RESEND 1/2] IB/core: disallow registering 0-sized memory region Yann Droneaud
       [not found] ` <cover.1428523125.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
  0 siblings, 2 replies; 3+ messages in thread
From: Yann Droneaud @ 2015-04-08 20:02 UTC (permalink / raw)
  To: Roland Dreier
  Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA, Shachar Raindel,
	Jack Morgenstein, Or Gerlitz, stable-u79uwXL29TY76Z2rM5mHXA,
	Yann Droneaud

[Re-sent patch set with correct Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>]

Hi,

Please find one patch to prevent a possible issue partially
addressed by commit 8494057ab5e4 ("IB/uverbs: Prevent integer
overflow in ib_umem_get address arithmetic") (see discussions
in [1]) and another one to add back the possibility of registering
memory mapped at 0 (which is probably not something to be allowed,
but it's not up to ib_umem_get() to prevent it).

[1] "Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical
 memory access"

 http://mid.gmane.org/1428497043.22575.176.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
 http://marc.info/?i=1428497043.22575.176.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org

Regards.

Yann Droneaud (2):
  IB/core: disallow registering 0-sized memory region
  IB/core: don't disallow registering region starting at 0x0

 drivers/infiniband/core/umem.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH RESEND 1/2] IB/core: disallow registering 0-sized memory region
  2015-04-08 20:02 [PATCH RESEND 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud
@ 2015-04-08 20:02 ` Yann Droneaud
       [not found] ` <cover.1428523125.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
  1 sibling, 0 replies; 3+ messages in thread
From: Yann Droneaud @ 2015-04-08 20:02 UTC (permalink / raw)
  To: Roland Dreier
  Cc: linux-rdma, Shachar Raindel, Jack Morgenstein, Or Gerlitz,
	stable, Yann Droneaud

If ib_umem_get() is called with a size equal to 0 and an
non-page aligned address, one page will be pinned and a
0-sized umem will be returned to the caller.

This should not be allowed: it's not expected for a memory
region to have a size equal to 0.

This patch adds a check to explicitly refuse to register
a 0-sized region.

Additionally, it updates check added in commit 8494057ab5e4
("IB/uverbs: Prevent integer overflow in ib_umem_get
address arithmetic") to not care about 0-sized region:
it would had catched 0-sized region only if address was
already page aligned.

Link: http://mid.gmane.org/cover.1428523125.git.ydroneaud@opteya.com
Cc: <stable@vger.kernel.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
Cc: Shachar Raindel <raindel@mellanox.com>
Cc: Jack Morgenstein <jackm@mellanox.com>
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
---
 drivers/infiniband/core/umem.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 8c014b5dab4c..cbe361645c1b 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -99,12 +99,15 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	if (dmasync)
 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
 
+	if (!size)
+		return ERR_PTR(-EINVAL);
+
 	/*
 	 * If the combination of the addr and size requested for this memory
 	 * region causes an integer overflow, return error.
 	 */
 	if ((PAGE_ALIGN(addr + size) <= size) ||
-	    (PAGE_ALIGN(addr + size) <= addr))
+	    (PAGE_ALIGN(addr + size) < addr))
 		return ERR_PTR(-EINVAL);
 
 	if (!can_do_mlock())
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH RESEND 2/2] IB/core: don't disallow registering region starting at 0x0
       [not found] ` <cover.1428523125.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
@ 2015-04-08 20:02   ` Yann Droneaud
  0 siblings, 0 replies; 3+ messages in thread
From: Yann Droneaud @ 2015-04-08 20:02 UTC (permalink / raw)
  To: Roland Dreier
  Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA, Shachar Raindel,
	Jack Morgenstein, Or Gerlitz, stable-u79uwXL29TY76Z2rM5mHXA,
	Yann Droneaud

In a call to ib_umem_get(), if address is 0x0 and size is
already page aligned, check added in commit 8494057ab5e4
("IB/uverbs: Prevent integer overflow in ib_umem_get address
arithmetic") will refuse to register a memory region that
could otherwise be valid (provided vm.mmap_min_addr sysctl
and mmap_low_allowed SELinux knobs allow userspace to map
something at address 0x0).

This patch allows back such registration: ib_umem_get()
should probably don't care of the base address provided it
can be pinned with get_user_pages().

Link: http://mid.gmane.org/cover.1428523125.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
Cc: Shachar Raindel <raindel-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Jack Morgenstein <jackm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
---
 drivers/infiniband/core/umem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index cbe361645c1b..a0aadd05ab6d 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -106,7 +106,7 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	 * If the combination of the addr and size requested for this memory
 	 * region causes an integer overflow, return error.
 	 */
-	if ((PAGE_ALIGN(addr + size) <= size) ||
+	if ((PAGE_ALIGN(addr + size) < size) ||
 	    (PAGE_ALIGN(addr + size) < addr))
 		return ERR_PTR(-EINVAL);
 
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-04-08 20:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-08 20:02 [PATCH RESEND 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud
2015-04-08 20:02 ` [PATCH RESEND 1/2] IB/core: disallow registering 0-sized memory region Yann Droneaud
     [not found] ` <cover.1428523125.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-04-08 20:02   ` [PATCH RESEND 2/2] IB/core: don't disallow registering region starting at 0x0 Yann Droneaud

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.