[thirdparty/kernel/stable-queue.git] / releases / 3.14.3 / ib-nes-return-an-error-on-ib_copy_from_udata-failure-instead-of-null.patch

From 9d194d1025f463392feafa26ff8c2d8247f71be1 Mon Sep 17 00:00:00 2001
From: Yann Droneaud <ydroneaud@opteya.com>
Date: Mon, 10 Mar 2014 23:06:27 +0100
Subject: IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL

From: Yann Droneaud <ydroneaud@opteya.com>

commit 9d194d1025f463392feafa26ff8c2d8247f71be1 upstream.

In case of error while accessing to userspace memory, function
nes_create_qp() returns NULL instead of an error code wrapped through
ERR_PTR().  But NULL is not expected by ib_uverbs_create_qp(), as it
check for error with IS_ERR().

As page 0 is likely not mapped, it is going to trigger an Oops when
the kernel will try to dereference NULL pointer to access to struct
ib_qp's fields.

In some rare cases, page 0 could be mapped by userspace, which could
turn this bug to a vulnerability that could be exploited: the function
pointers in struct ib_device will be under userspace total control.

This was caught when using spatch (aka. coccinelle)
to rewrite calls to ib_copy_{from,to}_udata().

Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null
Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci
Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/nes/nes_verbs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1186,7 +1186,7 @@ static struct ib_qp *nes_create_qp(struc
 					nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num);
 					kfree(nesqp->allocated_buffer);
 					nes_debug(NES_DBG_QP, "ib_copy_from_udata() Failed \n");
-					return NULL;
+					return ERR_PTR(-EFAULT);
 				}
 				if (req.user_wqe_buffers) {
 					virt_wqs = 1;
Commit	Line	Data
e95c1657 GKH	1	From 9d194d1025f463392feafa26ff8c2d8247f71be1 Mon Sep 17 00:00:00 2001
	2	From: Yann Droneaud <ydroneaud@opteya.com>
	3	Date: Mon, 10 Mar 2014 23:06:27 +0100
	4	Subject: IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL
	5
	6	From: Yann Droneaud <ydroneaud@opteya.com>
	7
	8	commit 9d194d1025f463392feafa26ff8c2d8247f71be1 upstream.
	9
	10	In case of error while accessing to userspace memory, function
	11	nes_create_qp() returns NULL instead of an error code wrapped through
	12	ERR_PTR(). But NULL is not expected by ib_uverbs_create_qp(), as it
	13	check for error with IS_ERR().
	14
	15	As page 0 is likely not mapped, it is going to trigger an Oops when
	16	the kernel will try to dereference NULL pointer to access to struct
	17	ib_qp's fields.
	18
	19	In some rare cases, page 0 could be mapped by userspace, which could
	20	turn this bug to a vulnerability that could be exploited: the function
	21	pointers in struct ib_device will be under userspace total control.
	22
	23	This was caught when using spatch (aka. coccinelle)
	24	to rewrite calls to ib_copy_{from,to}_udata().
	25
	26	Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null
	27	Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci
	28	Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com
	29	Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
	30	Signed-off-by: Roland Dreier <roland@purestorage.com>
	31	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	32
	33	---
	34	drivers/infiniband/hw/nes/nes_verbs.c \| 2 +-
	35	1 file changed, 1 insertion(+), 1 deletion(-)
	36
	37	--- a/drivers/infiniband/hw/nes/nes_verbs.c
	38	+++ b/drivers/infiniband/hw/nes/nes_verbs.c
	39	@@ -1186,7 +1186,7 @@ static struct ib_qp *nes_create_qp(struc
	40	nes_free_resource(nesadapter, nesadapter->allocated_qps, qp_num);
	41	kfree(nesqp->allocated_buffer);
	42	nes_debug(NES_DBG_QP, "ib_copy_from_udata() Failed \n");
	43	- return NULL;
	44	+ return ERR_PTR(-EFAULT);
	45	}
	46	if (req.user_wqe_buffers) {
	47	virt_wqs = 1;