4.4-stable patches

added patches:
	rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch

diff --git a/queue-4.4/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch b/queue-4.4/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
new file mode 100644 (file)
index 0000000..112b3ac
--- /dev/null
+++ b/queue-4.4/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
@@ -0,0 +1,61 @@
+From 5ecce4c9b17bed4dc9cb58bfb10447307569b77b Mon Sep 17 00:00:00 2001
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Tue, 27 Jun 2017 15:09:13 +0300
+Subject: RDMA/uverbs: Check port number supplied by user verbs cmds
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.
+
+The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
+the port number from user input as part of its attributes and assumes
+it is valid. Down on the stack, that parameter is used to access kernel
+data structures.  If the value is invalid, the kernel accesses memory
+it should not.  To prevent this, verify the port number before using it.
+
+BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
+Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
+
+BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
+Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
+
+Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
+Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
+Cc: Tziporet Koren <tziporet@mellanox.com>
+Cc: Alex Polak <alexpo@mellanox.com>
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+Modified from upstream commit: helper function rdma_is_port_valid does not
+exist in these kernel versions, so use manual comparisons instead.
+
+ drivers/infiniband/core/uverbs_cmd.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2287,6 +2287,10 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv
+       if (copy_from_user(&cmd, buf, sizeof cmd))
+               return -EFAULT;
+ 
++      if (cmd.port_num < rdma_start_port(ib_dev) ||
++          cmd.port_num > rdma_end_port(ib_dev))
++              return -EINVAL;
++
+       INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd,
+                  out_len);
+ 
+@@ -2827,6 +2831,10 @@ ssize_t ib_uverbs_create_ah(struct ib_uv
+       if (copy_from_user(&cmd, buf, sizeof cmd))
+               return -EFAULT;
+ 
++      if (cmd.attr.port_num < rdma_start_port(ib_dev) ||
++          cmd.attr.port_num > rdma_end_port(ib_dev))
++              return -EINVAL;
++
+       uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
+       if (!uobj)
+               return -ENOMEM;

diff --git a/queue-4.4/series b/queue-4.4/series
index 2c49b9fd9295100222b19f26a58729538c4266dd..5f3a8341763be841ba4fe394bbb5351d28dc0302 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -26,3 +26,4 @@ x86-tools-fix-gcc-7-warning-in-relocs.c.patch
 x86-uaccess-optimize-copy_user_enhanced_fast_string-for-short-strings.patch
 ath10k-override-ce5-config-for-qca9377.patch
 keys-fix-an-error-code-in-request_master_key.patch
+rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch