* [PATCH v1 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access
@ 2015-04-13 12:56 Yann Droneaud
[not found] ` <cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-04-13 12:56 ` [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0 Yann Droneaud
0 siblings, 2 replies; 7+ messages in thread
From: Yann Droneaud @ 2015-04-13 12:56 UTC (permalink / raw)
To: Roland Dreier
Cc: linux-rdma, Shachar Raindel, Jack Morgenstein, Or Gerlitz,
stable, Yann Droneaud
Hi,
Please find one patch to prevent a possible issue partially
addressed by commit 8494057ab5e4 ("IB/uverbs: Prevent integer
overflow in ib_umem_get address arithmetic") (see discussions
in [1]) and another one to add back the possibility of registering
memory mapped at 0 (which is probably not something to be allowed,
but it's probably not up to ib_umem_get() to prevent it).
Changes from v0 [2]:
- don't touch to overflow logic in first patch:
not modifying the logic here so that the patch can be applied
even on kernel without the overflow preventing checks,
and second patch is going to rewrite the check.
- don't break overflow detection in second patch:
changing less or equal to less comparison broke the overflow
detection logic regarding to rounding done by PAGE_ALIGN,
so fixes this by checking for overflow in addr + size,
then by checking for overflow in PAGE_ALIGN(addr + size).
[1] "Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical
memory access"
http://mid.gmane.org/1428497043.22575.176.camel@opteya.com
http://marc.info/?i=1428497043.22575.176.camel@opteya.com
[2] [PATCH RESEND 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access
http://mid.gmane.org/cover.1428523125.git.ydroneaud@opteya.com
http://marc.info/?i=cover.1428523125.git.ydroneaud@opteya.com
Yann Droneaud (2):
IB/core: disallow registering 0-sized memory region
IB/core: don't disallow registering region starting at 0x0
drivers/infiniband/core/umem.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--
2.1.0
^ permalink raw reply [flat|nested] 7+ messages in thread[parent not found: <cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>]
* [PATCH v1 1/2] IB/core: disallow registering 0-sized memory region
[not found] ` <cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
@ 2015-04-13 12:56 ` Yann Droneaud
0 siblings, 0 replies; 7+ messages in thread
From: Yann Droneaud @ 2015-04-13 12:56 UTC (permalink / raw)
To: Roland Dreier
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA, Shachar Raindel,
Jack Morgenstein, Or Gerlitz, stable-u79uwXL29TY76Z2rM5mHXA,
Yann Droneaud
If ib_umem_get() is called with a size equal to 0 and an
non-page aligned address, one page will be pinned and a
0-sized umem will be returned to the caller.
This should not be allowed: it's not expected for a memory
region to have a size equal to 0.
This patch adds a check to explicitly refuse to register
a 0-sized region.
Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org
Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Cc: Shachar Raindel <raindel-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Jack Morgenstein <jackm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Or Gerlitz <ogerlitz-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Signed-off-by: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
---
drivers/infiniband/core/umem.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 8c014b5dab4c..9ac4068d2088 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -99,6 +99,9 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
if (dmasync)
dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ if (!size)
+ return ERR_PTR(-EINVAL);
+
/*
* If the combination of the addr and size requested for this memory
* region causes an integer overflow, return error.
--
2.1.0
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0
2015-04-13 12:56 [PATCH v1 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud
[not found] ` <cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
@ 2015-04-13 12:56 ` Yann Droneaud
2015-04-14 9:20 ` Sagi Grimberg
1 sibling, 1 reply; 7+ messages in thread
From: Yann Droneaud @ 2015-04-13 12:56 UTC (permalink / raw)
To: Roland Dreier
Cc: linux-rdma, Shachar Raindel, Jack Morgenstein, Or Gerlitz,
stable, Yann Droneaud
In a call to ib_umem_get(), if address is 0x0 and size is
already page aligned, check added in commit 8494057ab5e4
("IB/uverbs: Prevent integer overflow in ib_umem_get address
arithmetic") will refuse to register a memory region that
could otherwise be valid (provided vm.mmap_min_addr sysctl
and mmap_low_allowed SELinux knobs allow userspace to map
something at address 0x0).
This patch allows back such registration: ib_umem_get()
should probably don't care of the base address provided it
can be pinned with get_user_pages().
There's two possible overflows, in (addr + size) and in
PAGE_ALIGN(addr + size), this patch keep ensuring none
of them happen while allowing to pin memory at address
0x0. Anyway, the case of size equal 0 is no more (partially)
handled as 0-length memory region are disallowed by an
earlier check.
Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
Cc: <stable@vger.kernel.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
Cc: Shachar Raindel <raindel@mellanox.com>
Cc: Jack Morgenstein <jackm@mellanox.com>
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
---
drivers/infiniband/core/umem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 9ac4068d2088..38acb3cfc545 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
* If the combination of the addr and size requested for this memory
* region causes an integer overflow, return error.
*/
- if ((PAGE_ALIGN(addr + size) <= size) ||
- (PAGE_ALIGN(addr + size) <= addr))
+ if (((addr + size) < addr) ||
+ PAGE_ALIGN(addr + size) < (addr + size))
return ERR_PTR(-EINVAL);
if (!can_do_mlock())
--
2.1.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0
2015-04-13 12:56 ` [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0 Yann Droneaud
@ 2015-04-14 9:20 ` Sagi Grimberg
2015-04-14 12:00 ` Yann Droneaud
0 siblings, 1 reply; 7+ messages in thread
From: Sagi Grimberg @ 2015-04-14 9:20 UTC (permalink / raw)
To: Yann Droneaud, Roland Dreier
Cc: linux-rdma, Shachar Raindel, Jack Morgenstein, Or Gerlitz, stable
On 4/13/2015 3:56 PM, Yann Droneaud wrote:
> In a call to ib_umem_get(), if address is 0x0 and size is
> already page aligned, check added in commit 8494057ab5e4
> ("IB/uverbs: Prevent integer overflow in ib_umem_get address
> arithmetic") will refuse to register a memory region that
> could otherwise be valid (provided vm.mmap_min_addr sysctl
> and mmap_low_allowed SELinux knobs allow userspace to map
> something at address 0x0).
>
> This patch allows back such registration: ib_umem_get()
> should probably don't care of the base address provided it
> can be pinned with get_user_pages().
>
> There's two possible overflows, in (addr + size) and in
> PAGE_ALIGN(addr + size), this patch keep ensuring none
> of them happen while allowing to pin memory at address
> 0x0. Anyway, the case of size equal 0 is no more (partially)
> handled as 0-length memory region are disallowed by an
> earlier check.
>
> Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
> Cc: <stable@vger.kernel.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
> Cc: Shachar Raindel <raindel@mellanox.com>
> Cc: Jack Morgenstein <jackm@mellanox.com>
> Cc: Or Gerlitz <ogerlitz@mellanox.com>
> Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
> ---
> drivers/infiniband/core/umem.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
> index 9ac4068d2088..38acb3cfc545 100644
> --- a/drivers/infiniband/core/umem.c
> +++ b/drivers/infiniband/core/umem.c
> @@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
> * If the combination of the addr and size requested for this memory
> * region causes an integer overflow, return error.
> */
> - if ((PAGE_ALIGN(addr + size) <= size) ||
> - (PAGE_ALIGN(addr + size) <= addr))
> + if (((addr + size) < addr) ||
> + PAGE_ALIGN(addr + size) < (addr + size))
If you do change the first statement to be: (addr + size) <= addr
wouldn't it cover patch #1?
Sagi.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0
2015-04-14 9:20 ` Sagi Grimberg
@ 2015-04-14 12:00 ` Yann Droneaud
[not found] ` <1429012859.4333.2.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Yann Droneaud @ 2015-04-14 12:00 UTC (permalink / raw)
To: Sagi Grimberg
Cc: Roland Dreier, linux-rdma, Shachar Raindel, Jack Morgenstein,
Or Gerlitz, stable
Hi,
Le mardi 14 avril 2015 à 12:20 +0300, Sagi Grimberg a écrit :
> On 4/13/2015 3:56 PM, Yann Droneaud wrote:
> > In a call to ib_umem_get(), if address is 0x0 and size is
> > already page aligned, check added in commit 8494057ab5e4
> > ("IB/uverbs: Prevent integer overflow in ib_umem_get address
> > arithmetic") will refuse to register a memory region that
> > could otherwise be valid (provided vm.mmap_min_addr sysctl
> > and mmap_low_allowed SELinux knobs allow userspace to map
> > something at address 0x0).
> >
> > This patch allows back such registration: ib_umem_get()
> > should probably don't care of the base address provided it
> > can be pinned with get_user_pages().
> >
> > There's two possible overflows, in (addr + size) and in
> > PAGE_ALIGN(addr + size), this patch keep ensuring none
> > of them happen while allowing to pin memory at address
> > 0x0. Anyway, the case of size equal 0 is no more (partially)
> > handled as 0-length memory region are disallowed by an
> > earlier check.
> >
> > Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com
> > Cc: <stable@vger.kernel.org> # 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic")
> > Cc: Shachar Raindel <raindel@mellanox.com>
> > Cc: Jack Morgenstein <jackm@mellanox.com>
> > Cc: Or Gerlitz <ogerlitz@mellanox.com>
> > Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
> > ---
> > drivers/infiniband/core/umem.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
> > index 9ac4068d2088..38acb3cfc545 100644
> > --- a/drivers/infiniband/core/umem.c
> > +++ b/drivers/infiniband/core/umem.c
> > @@ -106,8 +106,8 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
> > * If the combination of the addr and size requested for this memory
> > * region causes an integer overflow, return error.
> > */
> > - if ((PAGE_ALIGN(addr + size) <= size) ||
> > - (PAGE_ALIGN(addr + size) <= addr))
> > + if (((addr + size) < addr) ||
> > + PAGE_ALIGN(addr + size) < (addr + size))
>
> If you do change the first statement to be: (addr + size) <= addr
> wouldn't it cover patch #1?
>
Yes, but it doesn't sound a great place to do it: here it's about
overflow, so I'd prefer not doing the null memory region check there.
Regards.
--
Yann Droneaud
OPTEYA
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-04-14 14:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-04-13 12:56 [PATCH v1 0/2] Fixes on top of CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Yann Droneaud
[not found] ` <cover.1428929103.git.ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-04-13 12:56 ` [PATCH v1 1/2] IB/core: disallow registering 0-sized memory region Yann Droneaud
2015-04-13 12:56 ` [PATCH v1 2/2] IB/core: don't disallow registering region starting at 0x0 Yann Droneaud
2015-04-14 9:20 ` Sagi Grimberg
2015-04-14 12:00 ` Yann Droneaud
[not found] ` <1429012859.4333.2.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2015-04-14 12:50 ` Sagi Grimberg
[not found] ` <552D0D2A.8000604-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>
2015-04-14 14:35 ` Haggai Eran
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.