CVE-2014-8159 infiniband: uverbs: unprotected physical memory access (rhbz 1181166 1200950)
This commit is contained in:
Josh Boyer
parent
ac03c510f0
commit
32dcd3a968
|
|
@ -0,0 +1,47 @@
|
|||
From: Shachar Raindel <raindel@mellanox.com>
|
||||
Date: Sun, 4 Jan 2015 18:30:32 +0200
|
||||
Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address
|
||||
arithmetic
|
||||
|
||||
Properly verify that the resulting page aligned end address is larger
|
||||
than both the start address and the length of the memory area
|
||||
requested.
|
||||
|
||||
Both the start and length arguments for ib_umem_get are controlled by
|
||||
the user. A misbehaving user can provide values which will cause an
|
||||
integer overflow when calculating the page aligned end address.
|
||||
|
||||
This overflow can cause also miscalculation of the number of pages
|
||||
mapped, and additional logic issues.
|
||||
|
||||
Issue: 470602
|
||||
Change-Id: Iee88441db454af291fc5a376009d840603398d23
|
||||
Signed-off-by: Shachar Raindel <raindel@mellanox.com>
|
||||
Signed-off-by: Jack Morgenstein <jackm@mellanox.com>
|
||||
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
|
||||
---
|
||||
drivers/infiniband/core/umem.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
|
||||
index aec7a6aa2951..8c014b5dab4c 100644
|
||||
--- a/drivers/infiniband/core/umem.c
|
||||
+++ b/drivers/infiniband/core/umem.c
|
||||
@@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
|
||||
if (dmasync)
|
||||
dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
|
||||
|
||||
+ /*
|
||||
+ * If the combination of the addr and size requested for this memory
|
||||
+ * region causes an integer overflow, return error.
|
||||
+ */
|
||||
+ if ((PAGE_ALIGN(addr + size) <= size) ||
|
||||
+ (PAGE_ALIGN(addr + size) <= addr))
|
||||
+ return ERR_PTR(-EINVAL);
|
||||
+
|
||||
if (!can_do_mlock())
|
||||
return ERR_PTR(-EPERM);
|
||||
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
|
@ -654,6 +654,9 @@ Patch26164: Revert-Input-synaptics-use-dmax-in-input_mt_assign_s.patch
|
|||
#CVE-2015-2150 rhbz 1196266 1200397
|
||||
Patch26165: xen-pciback-limit-guest-control-of-command-register.patch
|
||||
|
||||
#CVE-2014-8159 rhbz 1181166 1200950
|
||||
Patch26167: IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
|
|
@ -1412,6 +1415,9 @@ ApplyPatch Revert-Input-synaptics-use-dmax-in-input_mt_assign_s.patch
|
|||
#CVE-2015-2150 rhbz 1196266 1200397
|
||||
ApplyPatch xen-pciback-limit-guest-control-of-command-register.patch
|
||||
|
||||
#CVE-2014-8159 rhbz 1181166 1200950
|
||||
ApplyPatch IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
|
@ -2269,6 +2275,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Mar 12 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-8159 infiniband: uverbs: unprotected physical memory access (rhbz 1181166 1200950)
|
||||
|
||||
* Wed Mar 11 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc3.git1.1
|
||||
- Linux v4.0-rc3-111-gaffb8172de39
|
||||
- CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397)
|
||||
|
|
|
|||
Loading…
Reference in New Issue