* FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in struct" failed to apply to 4.14-stable tree
@ 2021-10-30 12:57 gregkh
2021-11-03 15:25 ` Marciniszyn, Mike
0 siblings, 1 reply; 4+ messages in thread
From: gregkh @ 2021-10-30 12:57 UTC (permalink / raw)
To: mike.marciniszyn, dennis.dalessandro, ivansprundel, jgg; +Cc: stable
The patch below does not apply to the 4.14-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From d39bf40e55e666b5905fdbd46a0dced030ce87be Mon Sep 17 00:00:00 2001
From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Date: Tue, 12 Oct 2021 13:55:19 -0400
Subject: [PATCH] IB/qib: Protect from buffer overflow in struct
qib_user_sdma_pkt fields
Overflowing either addrlimit or bytes_togo can allow userspace to trigger
a buffer overflow of kernel memory. Check for overflows in all the places
doing math on user controlled buffers.
Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c
index a67599b5a550..ac11943a5ddb 100644
--- a/drivers/infiniband/hw/qib/qib_user_sdma.c
+++ b/drivers/infiniband/hw/qib/qib_user_sdma.c
@@ -602,7 +602,7 @@ static int qib_user_sdma_coalesce(const struct qib_devdata *dd,
/*
* How many pages in this iovec element?
*/
-static int qib_user_sdma_num_pages(const struct iovec *iov)
+static size_t qib_user_sdma_num_pages(const struct iovec *iov)
{
const unsigned long addr = (unsigned long) iov->iov_base;
const unsigned long len = iov->iov_len;
@@ -658,7 +658,7 @@ static void qib_user_sdma_free_pkt_frag(struct device *dev,
static int qib_user_sdma_pin_pages(const struct qib_devdata *dd,
struct qib_user_sdma_queue *pq,
struct qib_user_sdma_pkt *pkt,
- unsigned long addr, int tlen, int npages)
+ unsigned long addr, int tlen, size_t npages)
{
struct page *pages[8];
int i, j;
@@ -722,7 +722,7 @@ static int qib_user_sdma_pin_pkt(const struct qib_devdata *dd,
unsigned long idx;
for (idx = 0; idx < niov; idx++) {
- const int npages = qib_user_sdma_num_pages(iov + idx);
+ const size_t npages = qib_user_sdma_num_pages(iov + idx);
const unsigned long addr = (unsigned long) iov[idx].iov_base;
ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr,
@@ -824,8 +824,8 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd,
unsigned pktnw;
unsigned pktnwc;
int nfrags = 0;
- int npages = 0;
- int bytes_togo = 0;
+ size_t npages = 0;
+ size_t bytes_togo = 0;
int tiddma = 0;
int cfur;
@@ -885,7 +885,11 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd,
npages += qib_user_sdma_num_pages(&iov[idx]);
- bytes_togo += slen;
+ if (check_add_overflow(bytes_togo, slen, &bytes_togo) ||
+ bytes_togo > type_max(typeof(pkt->bytes_togo))) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
pktnwc += slen >> 2;
idx++;
nfrags++;
@@ -904,8 +908,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd,
}
if (frag_size) {
- int tidsmsize, n;
- size_t pktsize;
+ size_t tidsmsize, n, pktsize, sz, addrlimit;
n = npages*((2*PAGE_SIZE/frag_size)+1);
pktsize = struct_size(pkt, addr, n);
@@ -923,14 +926,24 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd,
else
tidsmsize = 0;
- pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL);
+ if (check_add_overflow(pktsize, tidsmsize, &sz)) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
+ pkt = kmalloc(sz, GFP_KERNEL);
if (!pkt) {
ret = -ENOMEM;
goto free_pbc;
}
pkt->largepkt = 1;
pkt->frag_size = frag_size;
- pkt->addrlimit = n + ARRAY_SIZE(pkt->addr);
+ if (check_add_overflow(n, ARRAY_SIZE(pkt->addr),
+ &addrlimit) ||
+ addrlimit > type_max(typeof(pkt->addrlimit))) {
+ ret = -EINVAL;
+ goto free_pbc;
+ }
+ pkt->addrlimit = addrlimit;
if (tiddma) {
char *tidsm = (char *)pkt + pktsize;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in struct" failed to apply to 4.14-stable tree
2021-10-30 12:57 FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in struct" failed to apply to 4.14-stable tree gregkh
@ 2021-11-03 15:25 ` Marciniszyn, Mike
2021-11-03 17:59 ` gregkh
0 siblings, 1 reply; 4+ messages in thread
From: Marciniszyn, Mike @ 2021-11-03 15:25 UTC (permalink / raw)
To: gregkh, Dalessandro, Dennis, ivansprundel, jgg; +Cc: stable
> From: gregkh@linuxfoundation.org <gregkh@linuxfoundation.org>
> Sent: Saturday, October 30, 2021 8:58 AM
> To: Marciniszyn, Mike <mike.marciniszyn@cornelisnetworks.com>;
> Dalessandro, Dennis <dennis.dalessandro@cornelisnetworks.com>;
> ivansprundel@ioactive.com; jgg@nvidia.com
> Cc: stable@vger.kernel.org
> Subject: FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in
> struct" failed to apply to 4.14-stable tree
>
>
> The patch below does not apply to the 4.14-stable tree.
> If someone wants it applied there, or to any other stable or longterm tree,
> then please email the backport, including the original git commit id to
> <stable@vger.kernel.org>.
>
> thanks,
>
> greg k-h
>
This patch requires a backport of upstream commit:
829ca44ecf60 ("IB/qib: Use struct_size() helper")
That commit needs to me modified to include linux/overflow.h.
The overflow patch then picks clean after that modified patch is present.
How do you want to see that expressed in patches?
Mike
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in struct" failed to apply to 4.14-stable tree
2021-11-03 15:25 ` Marciniszyn, Mike
@ 2021-11-03 17:59 ` gregkh
2021-11-03 18:00 ` Marciniszyn, Mike
0 siblings, 1 reply; 4+ messages in thread
From: gregkh @ 2021-11-03 17:59 UTC (permalink / raw)
To: Marciniszyn, Mike; +Cc: Dalessandro, Dennis, ivansprundel, jgg, stable
On Wed, Nov 03, 2021 at 03:25:39PM +0000, Marciniszyn, Mike wrote:
> > From: gregkh@linuxfoundation.org <gregkh@linuxfoundation.org>
> > Sent: Saturday, October 30, 2021 8:58 AM
> > To: Marciniszyn, Mike <mike.marciniszyn@cornelisnetworks.com>;
> > Dalessandro, Dennis <dennis.dalessandro@cornelisnetworks.com>;
> > ivansprundel@ioactive.com; jgg@nvidia.com
> > Cc: stable@vger.kernel.org
> > Subject: FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in
> > struct" failed to apply to 4.14-stable tree
> >
> >
> > The patch below does not apply to the 4.14-stable tree.
> > If someone wants it applied there, or to any other stable or longterm tree,
> > then please email the backport, including the original git commit id to
> > <stable@vger.kernel.org>.
> >
> > thanks,
> >
> > greg k-h
> >
>
> This patch requires a backport of upstream commit:
>
> 829ca44ecf60 ("IB/qib: Use struct_size() helper")
>
> That commit needs to me modified to include linux/overflow.h.
>
> The overflow patch then picks clean after that modified patch is present.
>
> How do you want to see that expressed in patches?
Can you please send a patch series for this that I can apply?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in struct" failed to apply to 4.14-stable tree
2021-11-03 17:59 ` gregkh
@ 2021-11-03 18:00 ` Marciniszyn, Mike
0 siblings, 0 replies; 4+ messages in thread
From: Marciniszyn, Mike @ 2021-11-03 18:00 UTC (permalink / raw)
To: gregkh; +Cc: Dalessandro, Dennis, ivansprundel, jgg, stable
> > This patch requires a backport of upstream commit:
> >
> > 829ca44ecf60 ("IB/qib: Use struct_size() helper")
> >
> > That commit needs to me modified to include linux/overflow.h.
> >
> > The overflow patch then picks clean after that modified patch is present.
> >
> > How do you want to see that expressed in patches?
>
> Can you please send a patch series for this that I can apply?
>
> thanks,
>
> greg k-h
I figured that.
I will be sending it out shortly.
Mike
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-03 18:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-30 12:57 FAILED: patch "[PATCH] IB/qib: Protect from buffer overflow in struct" failed to apply to 4.14-stable tree gregkh
2021-11-03 15:25 ` Marciniszyn, Mike
2021-11-03 17:59 ` gregkh
2021-11-03 18:00 ` Marciniszyn, Mike
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.