From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 Jul 2017 08:34:15 +0000 (+0200)
Subject: 4.11-stable patches
X-Git-Tag: v4.9.37~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3eaa1b6d5750bde9ad86188effa37467c35788ff;p=thirdparty%2Fkernel%2Fstable-queue.git

4.11-stable patches

added patches:
	rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
---

diff --git a/queue-4.11/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch b/queue-4.11/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
new file mode 100644
index 00000000000..ab81cbf3a5e
--- /dev/null
+++ b/queue-4.11/rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch
@@ -0,0 +1,59 @@
+From 5ecce4c9b17bed4dc9cb58bfb10447307569b77b Mon Sep 17 00:00:00 2001
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Tue, 27 Jun 2017 15:09:13 +0300
+Subject: RDMA/uverbs: Check port number supplied by user verbs cmds
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.
+
+The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
+the port number from user input as part of its attributes and assumes
+it is valid. Down on the stack, that parameter is used to access kernel
+data structures.  If the value is invalid, the kernel accesses memory
+it should not.  To prevent this, verify the port number before using it.
+
+BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
+Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
+
+BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
+Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
+
+Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
+Fixes: 189aba99e70 ("IB/uverbs: Extend modify_qp and support packet pacing")
+Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
+Cc: Tziporet Koren <tziporet@mellanox.com>
+Cc: Alex Polak <alexpo@mellanox.com>
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_cmd.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2404,6 +2404,11 @@ static int modify_qp(struct ib_uverbs_fi
+ 		goto out;
+ 	}
+ 
++	if (!rdma_is_port_valid(qp->device, cmd->base.port_num)) {
++		ret = -EINVAL;
++		goto release_qp;
++	}
++
+ 	attr->qp_state		  = cmd->base.qp_state;
+ 	attr->cur_qp_state	  = cmd->base.cur_qp_state;
+ 	attr->path_mtu		  = cmd->base.path_mtu;
+@@ -3000,6 +3005,9 @@ ssize_t ib_uverbs_create_ah(struct ib_uv
+ 	if (copy_from_user(&cmd, buf, sizeof cmd))
+ 		return -EFAULT;
+ 
++	if (!rdma_is_port_valid(ib_dev, cmd.attr.port_num))
++		return -EINVAL;
++
+ 	INIT_UDATA(&udata, buf + sizeof(cmd),
+ 		   (unsigned long)cmd.response + sizeof(resp),
+ 		   in_len - sizeof(cmd), out_len - sizeof(resp));
diff --git a/queue-4.11/series b/queue-4.11/series
index df8b01e298e..f7409222e01 100644
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -1,3 +1,4 @@
 fs-add-a-valid_open_flags.patch
 fs-completely-ignore-unknown-open-flags.patch
 driver-core-platform-fix-race-condition-with-driver_override.patch
+rdma-uverbs-check-port-number-supplied-by-user-verbs-cmds.patch