diff mbox

[2/2,v2] IB/rxe: Fix mem_check_range integer overflow

Message ID 20170207134431.GK11103@mwanda (mailing list archive)
State Accepted
Headers show

Commit Message

Dan Carpenter Feb. 7, 2017, 1:45 p.m. UTC 
From: Eyal Itkin <eyal.itkin@gmail.com>

Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.

Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: I completely misread Eyal's first patch.

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Leon Romanovsky Feb. 7, 2017, 5:02 p.m. UTC | #1 
On Tue, Feb 07, 2017 at 04:45:19PM +0300, Dan Carpenter wrote:
> From: Eyal Itkin <eyal.itkin@gmail.com>
>
> Update the range check to avoid integer-overflow in edge case.
> Resolves CVE 2016-8636.
>
> Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: I completely misread Eyal's first patch.
>

Thanks,
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Doug Ledford Feb. 8, 2017, 5:40 p.m. UTC | #2 
On Tue, 2017-02-07 at 16:45 +0300, Dan Carpenter wrote:
> From: Eyal Itkin <eyal.itkin@gmail.com>
> 
> Update the range check to avoid integer-overflow in edge case.
> Resolves CVE 2016-8636.
> 
> Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: I completely misread Eyal's first patch.
> 
> diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c
> b/drivers/infiniband/sw/rxe/rxe_mr.c
> index 8cf38b253c37..37eea7441ca4 100644
> --- a/drivers/infiniband/sw/rxe/rxe_mr.c
> +++ b/drivers/infiniband/sw/rxe/rxe_mr.c
> @@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova,
> size_t length)
>  
>  	case RXE_MEM_TYPE_MR:
>  	case RXE_MEM_TYPE_FMR:
> -		return ((iova < mem->iova) ||
> -			((iova + length) > (mem->iova + mem-
> >length))) ?
> -			-EFAULT : 0;
> +		if (iova < mem->iova ||
> +		    length > mem->length ||
> +		    iova > mem->iova + mem->length - length)
> +			return -EFAULT;
> +		return 0;
>  
>  	default:
>  		return -EFAULT;

Thanks, applied.
diff mbox

Patch

diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
index 8cf38b253c37..37eea7441ca4 100644
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
@@ -59,9 +59,11 @@  int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
 
 	case RXE_MEM_TYPE_MR:
 	case RXE_MEM_TYPE_FMR:
-		return ((iova < mem->iova) ||
-			((iova + length) > (mem->iova + mem->length))) ?
-			-EFAULT : 0;
+		if (iova < mem->iova ||
+		    length > mem->length ||
+		    iova > mem->iova + mem->length - length)
+			return -EFAULT;
+		return 0;
 
 	default:
 		return -EFAULT;