[PATCH v1 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access

[PATCH v1 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access

[Yann Droneaud]

Hi,

Please find one patch to prevent a possible issue partially
addressed by commit 8494057ab5e4 ("IB/uverbs: Prevent integer
overflow in ib_umem_get address arithmetic") (see discussions
in [1]) and another one to add back the possibility of registering
memory mapped at 0 (which is probably not something to be allowed,
but it's probably not up to ib_umem_get() to prevent it).

Changes from v0 [2]:
- don't touch to overflow logic in first patch:
  not modifying the logic here so that the patch can be applied
  even on kernel without the overflow preventing checks,
  and second patch is going to rewrite the check.

- don't break overflow detection in second patch:
  changing less or equal to less comparison broke the overflow
  detection logic regarding to rounding done by PAGE_ALIGN,
  so fixes this by checking for overflow in addr + size,
  then by checking for overflow in PAGE_ALIGN(addr + size).

[1] "Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical
 memory access"

 http://mid.gmane.org/1428497043.22575.176.camel@opteya.com
 http://marc.info/?i=1428497043.22575.176.camel@opteya.com

[2] [PATCH RESEND 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access

 http://mid.gmane.org/cover.1428523125.git.ydroneaud@opteya.com
 http://marc.info/?i=cover.1428523125.git.ydroneaud@opteya.com

Yann Droneaud (2):
  IB/core: disallow registering 0-sized memory region
  IB/core: don't disallow registering region starting at 0x0

 drivers/infiniband/core/umem.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

-- 
2.1.0

[PATCH v1 1/2] IB/core: disallow registering 0-sized memory region

[Yann Droneaud]

If ib_umem_get() is called with a size equal to 0 and an
non-page aligned address, one page will be pinned and a
0-sized umem will be returned to the caller.

This should not be allowed: it's not expected for a memory
region to have a size equal to 0.

This patch adds a check to explicitly refuse to register
a 0-sized region.

Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Cc: Shachar Raindel <raindel-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Jack Morgenstein <jackm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
---
 drivers/infiniband/core/umem.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 8c014b5dab4c..9ac4068d2088 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -99,6 +99,9 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	if (dmasync)
 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
 
+	if (!size)
+		return ERR_PTR(-EINVAL);
+
 	/*
 	 * If the combination of the addr and size requested for this memory
 	 * region causes an integer overflow, return error.
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0

[Yann Droneaud]

In a call to ib_umem_get(), if address is 0x0 and size is
already page aligned, check added in commit 8494057ab5e4
("IB/uverbs: Prevent integer overflow in ib_umem_get address
arithmetic") will refuse to register a memory region that
could otherwise be valid (provided vm.mmap_min_addr sysctl
and mmap_low_allowed SELinux knobs allow userspace to map
something at address 0x0).

This patch allows back such registration: ib_umem_get()
should probably don't care of the base address provided it
can be pinned with get_user_pages().

There's two possible overflows, in (addr + size) and in
PAGE_ALIGN(addr + size), this patch keep ensuring none
of them happen while allowing to pin memory at address
0x0. Anyway, the case of size equal 0 is no more (partially)
handled as 0-length memory region are disallowed by an
earlier check.

Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
Cc: <stable@vger.kernel.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
Cc: Shachar Raindel <raindel@mellanox.com>
Cc: Jack Morgenstein <jackm@mellanox.com>
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
---
 drivers/infiniband/core/umem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 9ac4068d2088..38acb3cfc545 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 	 * If the combination of the addr and size requested for this memory
 	 * region causes an integer overflow, return error.
 	 */
-	if ((PAGE_ALIGN(addr + size) <= size) ||
-	    (PAGE_ALIGN(addr + size) <= addr))
+	if (((addr + size) < addr) ||
+	    PAGE_ALIGN(addr + size) < (addr + size))
 		return ERR_PTR(-EINVAL);
 
 	if (!can_do_mlock())
-- 
2.1.0

Re: [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0

[Sagi Grimberg]

On 4/13/2015 3:56 PM, Yann Droneaud wrote:
> In a call to ib_umem_get(), if address is 0x0 and size is
> already page aligned, check added in commit 8494057ab5e4
> ("IB/uverbs: Prevent integer overflow in ib_umem_get address
> arithmetic") will refuse to register a memory region that
> could otherwise be valid (provided vm.mmap_min_addr sysctl
> and mmap_low_allowed SELinux knobs allow userspace to map
> something at address 0x0).
>
> This patch allows back such registration: ib_umem_get()
> should probably don't care of the base address provided it
> can be pinned with get_user_pages().
>
> There's two possible overflows, in (addr + size) and in
> PAGE_ALIGN(addr + size), this patch keep ensuring none
> of them happen while allowing to pin memory at address
> 0x0. Anyway, the case of size equal 0 is no more (partially)
> handled as 0-length memory region are disallowed by an
> earlier check.
>
> Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
> Cc: <stable@vger.kernel.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
> Cc: Shachar Raindel <raindel@mellanox.com>
> Cc: Jack Morgenstein <jackm@mellanox.com>
> Cc: Or Gerlitz <ogerlitz@mellanox.com>
> Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
> ---
>   drivers/infiniband/core/umem.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
> index 9ac4068d2088..38acb3cfc545 100644
> --- a/drivers/infiniband/core/umem.c
> +++ b/drivers/infiniband/core/umem.c
> @@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
>   	 * If the combination of the addr and size requested for this memory
>   	 * region causes an integer overflow, return error.
>   	 */
> -	if ((PAGE_ALIGN(addr + size) <= size) ||
> -	    (PAGE_ALIGN(addr + size) <= addr))
> +	if (((addr + size) < addr) ||
> +	    PAGE_ALIGN(addr + size) < (addr + size))

If you do change the first statement to be: (addr + size) <= addr
wouldn't it cover patch #1?

Sagi.

Re: [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0

[Yann Droneaud]

Hi,

Le mardi 14 avril 2015 à 12:20 +0300, Sagi Grimberg a écrit :
> On 4/13/2015 3:56 PM, Yann Droneaud wrote:
> > In a call to ib_umem_get(), if address is 0x0 and size is
> > already page aligned, check added in commit 8494057ab5e4
> > ("IB/uverbs: Prevent integer overflow in ib_umem_get address
> > arithmetic") will refuse to register a memory region that
> > could otherwise be valid (provided vm.mmap_min_addr sysctl
> > and mmap_low_allowed SELinux knobs allow userspace to map
> > something at address 0x0).
> >
> > This patch allows back such registration: ib_umem_get()
> > should probably don't care of the base address provided it
> > can be pinned with get_user_pages().
> >
> > There's two possible overflows, in (addr + size) and in
> > PAGE_ALIGN(addr + size), this patch keep ensuring none
> > of them happen while allowing to pin memory at address
> > 0x0. Anyway, the case of size equal 0 is no more (partially)
> > handled as 0-length memory region are disallowed by an
> > earlier check.
> >
> > Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
> > Cc: <stable@vger.kernel.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
> > Cc: Shachar Raindel <raindel@mellanox.com>
> > Cc: Jack Morgenstein <jackm@mellanox.com>
> > Cc: Or Gerlitz <ogerlitz@mellanox.com>
> > Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
> > ---
> >   drivers/infiniband/core/umem.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
> > index 9ac4068d2088..38acb3cfc545 100644
> > --- a/drivers/infiniband/core/umem.c
> > +++ b/drivers/infiniband/core/umem.c
> > @@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
> >   	 * If the combination of the addr and size requested for this memory
> >   	 * region causes an integer overflow, return error.
> >   	 */
> > -	if ((PAGE_ALIGN(addr + size) <= size) ||
> > -	    (PAGE_ALIGN(addr + size) <= addr))
> > +	if (((addr + size) < addr) ||
> > +	    PAGE_ALIGN(addr + size) < (addr + size))
> 
> If you do change the first statement to be: (addr + size) <= addr
> wouldn't it cover patch #1?
> 

Yes, but it doesn't sound a great place to do it: here it's about
overflow, so I'd prefer not doing the null memory region check there.

Regards.

-- 
Yann Droneaud
OPTEYA

Re: [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0

[Sagi Grimberg]

On 4/14/2015 3:00 PM, Yann Droneaud wrote:
> Hi,
>
> Le mardi 14 avril 2015 à 12:20 +0300, Sagi Grimberg a écrit :
>> On 4/13/2015 3:56 PM, Yann Droneaud wrote:
>>> In a call to ib_umem_get(), if address is 0x0 and size is
>>> already page aligned, check added in commit 8494057ab5e4
>>> ("IB/uverbs: Prevent integer overflow in ib_umem_get address
>>> arithmetic") will refuse to register a memory region that
>>> could otherwise be valid (provided vm.mmap_min_addr sysctl
>>> and mmap_low_allowed SELinux knobs allow userspace to map
>>> something at address 0x0).
>>>
>>> This patch allows back such registration: ib_umem_get()
>>> should probably don't care of the base address provided it
>>> can be pinned with get_user_pages().
>>>
>>> There's two possible overflows, in (addr + size) and in
>>> PAGE_ALIGN(addr + size), this patch keep ensuring none
>>> of them happen while allowing to pin memory at address
>>> 0x0. Anyway, the case of size equal 0 is no more (partially)
>>> handled as 0-length memory region are disallowed by an
>>> earlier check.
>>>
>>> Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud-RlY5vtjFyJ1hl2p70BpVqQ@public.gmane.orgm
>>> Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
>>> Cc: Shachar Raindel <raindel-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>> Cc: Jack Morgenstein <jackm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>> Cc: Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>> Signed-off-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
>>> ---
>>>    drivers/infiniband/core/umem.c | 4 ++--
>>>    1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
>>> index 9ac4068d2088..38acb3cfc545 100644
>>> --- a/drivers/infiniband/core/umem.c
>>> +++ b/drivers/infiniband/core/umem.c
>>> @@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
>>>    	 * If the combination of the addr and size requested for this memory
>>>    	 * region causes an integer overflow, return error.
>>>    	 */
>>> -	if ((PAGE_ALIGN(addr + size) <= size) ||
>>> -	    (PAGE_ALIGN(addr + size) <= addr))
>>> +	if (((addr + size) < addr) ||
>>> +	    PAGE_ALIGN(addr + size) < (addr + size))
>>
>> If you do change the first statement to be: (addr + size) <= addr
>> wouldn't it cover patch #1?
>>
>
> Yes, but it doesn't sound a great place to do it: here it's about
> overflow, so I'd prefer not doing the null memory region check there.
>
> Regards.
>

Sounds reasonable to me.

Reviewed-by: Sagi Grimberg <sagig-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Let's poke Shachar/Haggai to comment/approve on this as well.

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0

[Haggai Eran]

On 14/04/2015 15:50, Sagi Grimberg wrote:
> On 4/14/2015 3:00 PM, Yann Droneaud wrote:
>> Le mardi 14 avril 2015 à 12:20 +0300, Sagi Grimberg a écrit :
>>> On 4/13/2015 3:56 PM, Yann Droneaud wrote:
...
>>>> diff --git a/drivers/infiniband/core/umem.c
>>>> b/drivers/infiniband/core/umem.c
>>>> index 9ac4068d2088..38acb3cfc545 100644
>>>> --- a/drivers/infiniband/core/umem.c
>>>> +++ b/drivers/infiniband/core/umem.c
>>>> @@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
>>>>         * If the combination of the addr and size requested for this memory
>>>>         * region causes an integer overflow, return error.
>>>>         */
>>>> -    if ((PAGE_ALIGN(addr + size) <= size) ||
>>>> -        (PAGE_ALIGN(addr + size) <= addr))
>>>> +    if (((addr + size) < addr) ||
>>>> +        PAGE_ALIGN(addr + size) < (addr + size))
>>>
>>> If you do change the first statement to be: (addr + size) <= addr
>>> wouldn't it cover patch #1?
>>>
>>
>> Yes, but it doesn't sound a great place to do it: here it's about
>> overflow, so I'd prefer not doing the null memory region check there.
>>
>> Regards.
>>
> 
> Sounds reasonable to me.

Me too. As long as we prevent the integer overflow, there is no need to
disallow regions starting at 0x0.

Reviewed-by: Haggai Eran <haggaie-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

> 
> Reviewed-by: Sagi Grimberg <sagig-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> 
> Let's poke Shachar/Haggai to comment/approve on this as well.
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html