4.11-stable patches

added patches:
	rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch

diff --git a/queue-4.11/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch b/queue-4.11/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
new file mode 100644 (file)
index 0000000..ab81cbf
--- /dev/null
+++ b/queue-4.11/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
@@ -0,0 +1,59 @@
+From 5ecce4c9b17bed4dc9cb58bfb10447307569b77b Mon Sep 17 00:00:00 2001
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Tue, 27 Jun 2017 15:09:13 +0300
+Subject: RDMA/uverbs: Check port number supplied by user verbs cmds
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.
+
+The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
+the port number from user input as part of its attributes and assumes
+it is valid. Down on the stack, that parameter is used to access kernel
+data structures.  If the value is invalid, the kernel accesses memory
+it should not.  To prevent this, verify the port number before using it.
+
+BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
+Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
+
+BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
+Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
+
+Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
+Fixes: 189aba99e70 ("IB/uverbs: Extend modify_qp and support packet pacing")
+Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
+Cc: Tziporet Koren <tziporet@mellanox.com>
+Cc: Alex Polak <alexpo@mellanox.com>
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2404,6 +2404,11 @@ static int modify_qp(struct ib_uverbs_fi
+               goto out;
+       }
+ 
++      if (!rdma_is_port_valid(qp->device, cmd->base.port_num)) {
++              ret = -EINVAL;
++              goto release_qp;
++      }
++
+       attr->qp_state            = cmd->base.qp_state;
+       attr->cur_qp_state        = cmd->base.cur_qp_state;
+       attr->path_mtu            = cmd->base.path_mtu;
+@@ -3000,6 +3005,9 @@ ssize_t ib_uverbs_create_ah(struct ib_uv
+       if (copy_from_user(&cmd, buf, sizeof cmd))
+               return -EFAULT;
+ 
++      if (!rdma_is_port_valid(ib_dev, cmd.attr.port_num))
++              return -EINVAL;
++
+       INIT_UDATA(&udata, buf + sizeof(cmd),
+                  (unsigned long)cmd.response + sizeof(resp),
+                  in_len - sizeof(cmd), out_len - sizeof(resp));

diff --git a/queue-4.11/series b/queue-4.11/series
index df8b01e298e71ede2764e8063e2301325757d0ad..f7409222e0164452751aab83421b9a3211836c4d 100644 (file)
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -1,3 +1,4 @@
 fs-add-a-valid_open_flags.patch
 fs-completely-ignore-unknown-open-flags.patch
 driver-core-platform-fix-race-condition-with-driver_override.patch
+rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch