From 7322589ceb12b2ca7eae25bfa2b89e3d3385c8df Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 11 Mar 2018 17:14:05 +0100 Subject: [PATCH] 4.14-stable patches added patches: rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch rdma-ucma-limit-possible-option-size.patch --- queue-3.18/series | 0 ...x-integer-overflow-while-resizing-cq.patch | 85 ++++++++++++++++++ ...-that-user-doesn-t-overflow-qp-state.patch | 33 +++++++ ...rdma-ucma-limit-possible-option-size.patch | 38 ++++++++ queue-4.14/series | 3 + ...x-integer-overflow-while-resizing-cq.patch | 87 +++++++++++++++++++ ...-that-user-doesn-t-overflow-qp-state.patch | 34 ++++++++ ...rdma-ucma-limit-possible-option-size.patch | 39 +++++++++ queue-4.15/series | 3 + ...x-integer-overflow-while-resizing-cq.patch | 87 +++++++++++++++++++ ...-that-user-doesn-t-overflow-qp-state.patch | 34 ++++++++ ...rdma-ucma-limit-possible-option-size.patch | 39 +++++++++ queue-4.4/series | 3 + ...x-integer-overflow-while-resizing-cq.patch | 87 +++++++++++++++++++ ...-that-user-doesn-t-overflow-qp-state.patch | 34 ++++++++ ...rdma-ucma-limit-possible-option-size.patch | 39 +++++++++ queue-4.9/series | 3 + 17 files changed, 648 insertions(+) create mode 100644 queue-3.18/series create mode 100644 queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch create mode 100644 queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch create mode 100644 queue-4.14/rdma-ucma-limit-possible-option-size.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.15/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch create mode 100644 queue-4.15/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch create mode 100644 queue-4.15/rdma-ucma-limit-possible-option-size.patch create mode 100644 queue-4.15/series create mode 100644 queue-4.4/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch create mode 100644 queue-4.4/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch create mode 100644 queue-4.4/rdma-ucma-limit-possible-option-size.patch create mode 100644 queue-4.4/series create mode 100644 queue-4.9/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch create mode 100644 queue-4.9/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch create mode 100644 queue-4.9/rdma-ucma-limit-possible-option-size.patch create mode 100644 queue-4.9/series diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..e69de29bb2d diff --git a/queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch b/queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch new file mode 100644 index 00000000000..8efd3971f1c --- /dev/null +++ b/queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch @@ -0,0 +1,85 @@ +From 28e9091e3119933c38933cb8fc48d5618eb784c8 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 15:29:09 +0200 +Subject: RDMA/mlx5: Fix integer overflow while resizing CQ + +From: Leon Romanovsky + +commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream. + +The user can provide very large cqe_size which will cause to integer +overflow as it can be seen in the following UBSAN warning: + +======================================================================= +UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 +signed integer overflow: +64870 * 65536 cannot be represented in type 'int' +CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware +name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xde/0x164 + ? dma_virt_map_sg+0x22c/0x22c + ubsan_epilogue+0xe/0x81 + handle_overflow+0x1f3/0x251 + ? __ubsan_handle_negate_overflow+0x19b/0x19b + ? lock_acquire+0x440/0x440 + mlx5_ib_resize_cq+0x17e7/0x1e40 + ? cyc2ns_read_end+0x10/0x10 + ? native_read_msr_safe+0x6c/0x9b + ? cyc2ns_read_end+0x10/0x10 + ? mlx5_ib_modify_cq+0x220/0x220 + ? sched_clock_cpu+0x18/0x200 + ? lookup_get_idr_uobject+0x200/0x200 + ? rdma_lookup_get_uobject+0x145/0x2f0 + ib_uverbs_resize_cq+0x207/0x3e0 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ib_uverbs_write+0x7f9/0xef0 + ? cyc2ns_read_end+0x10/0x10 + ? print_irqtrace_events+0x280/0x280 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ? uverbs_devnode+0x110/0x110 + ? sched_clock_cpu+0x18/0x200 + ? do_raw_spin_trylock+0x100/0x100 + ? __lru_cache_add+0x16e/0x290 + __vfs_write+0x10d/0x700 + ? uverbs_devnode+0x110/0x110 + ? kernel_read+0x170/0x170 + ? sched_clock_cpu+0x18/0x200 + ? security_file_permission+0x93/0x260 + vfs_write+0x1b0/0x550 + SyS_write+0xc7/0x1a0 + ? SyS_read+0x1a0/0x1a0 + ? trace_hardirqs_on_thunk+0x1a/0x1c + entry_SYSCALL_64_fastpath+0x1e/0x8b +RIP: 0033:0x433549 +RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 +======================================================================= + +Cc: syzkaller +Cc: # 3.13 +Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") +Reported-by: Noa Osherovich +Reviewed-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index b5cfdaa9c7c8..15457c9569a7 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -1178,7 +1178,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq, + if (ucmd.reserved0 || ucmd.reserved1) + return -EINVAL; + +- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, ++ /* check multiplication overflow */ ++ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) ++ return -EINVAL; ++ ++ umem = ib_umem_get(context, ucmd.buf_addr, ++ (size_t)ucmd.cqe_size * entries, + IB_ACCESS_LOCAL_WRITE, 1); + if (IS_ERR(umem)) { + err = PTR_ERR(umem); diff --git a/queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch b/queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch new file mode 100644 index 00000000000..c099d4ce469 --- /dev/null +++ b/queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch @@ -0,0 +1,33 @@ +From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 18:49:16 +0200 +Subject: RDMA/ucma: Check that user doesn't overflow QP state + +From: Leon Romanovsky + +commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream. + +The QP state is limited and declared in enum ib_qp_state, +but ucma user was able to supply any possible (u32) value. + +Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com +Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1148,6 +1148,9 @@ static ssize_t ucma_init_qp_attr(struct + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (cmd.qp_state > IB_QPS_ERR) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); diff --git a/queue-4.14/rdma-ucma-limit-possible-option-size.patch b/queue-4.14/rdma-ucma-limit-possible-option-size.patch new file mode 100644 index 00000000000..1513ae94e90 --- /dev/null +++ b/queue-4.14/rdma-ucma-limit-possible-option-size.patch @@ -0,0 +1,38 @@ +From 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 14:49:09 +0200 +Subject: RDMA/ucma: Limit possible option size + +From: Leon Romanovsky + +commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. + +Users of ucma are supposed to provide size of option level, +in most paths it is supposed to be equal to u8 or u16, but +it is not the case for the IB path record, where it can be +multiple of struct ib_path_rec_data. + +This patch takes simplest possible approach and prevents providing +values more than possible to allocate. + +Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com +Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1293,6 +1293,9 @@ static ssize_t ucma_set_option(struct uc + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + ++ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..9c342c6b612 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,3 @@ +rdma-ucma-limit-possible-option-size.patch +rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch +rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch diff --git a/queue-4.15/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch b/queue-4.15/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch new file mode 100644 index 00000000000..647729b36fd --- /dev/null +++ b/queue-4.15/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch @@ -0,0 +1,87 @@ +From 28e9091e3119933c38933cb8fc48d5618eb784c8 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 15:29:09 +0200 +Subject: RDMA/mlx5: Fix integer overflow while resizing CQ + +From: Leon Romanovsky + +commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream. + +The user can provide very large cqe_size which will cause to integer +overflow as it can be seen in the following UBSAN warning: + +======================================================================= +UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 +signed integer overflow: +64870 * 65536 cannot be represented in type 'int' +CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware +name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xde/0x164 + ? dma_virt_map_sg+0x22c/0x22c + ubsan_epilogue+0xe/0x81 + handle_overflow+0x1f3/0x251 + ? __ubsan_handle_negate_overflow+0x19b/0x19b + ? lock_acquire+0x440/0x440 + mlx5_ib_resize_cq+0x17e7/0x1e40 + ? cyc2ns_read_end+0x10/0x10 + ? native_read_msr_safe+0x6c/0x9b + ? cyc2ns_read_end+0x10/0x10 + ? mlx5_ib_modify_cq+0x220/0x220 + ? sched_clock_cpu+0x18/0x200 + ? lookup_get_idr_uobject+0x200/0x200 + ? rdma_lookup_get_uobject+0x145/0x2f0 + ib_uverbs_resize_cq+0x207/0x3e0 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ib_uverbs_write+0x7f9/0xef0 + ? cyc2ns_read_end+0x10/0x10 + ? print_irqtrace_events+0x280/0x280 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ? uverbs_devnode+0x110/0x110 + ? sched_clock_cpu+0x18/0x200 + ? do_raw_spin_trylock+0x100/0x100 + ? __lru_cache_add+0x16e/0x290 + __vfs_write+0x10d/0x700 + ? uverbs_devnode+0x110/0x110 + ? kernel_read+0x170/0x170 + ? sched_clock_cpu+0x18/0x200 + ? security_file_permission+0x93/0x260 + vfs_write+0x1b0/0x550 + SyS_write+0xc7/0x1a0 + ? SyS_read+0x1a0/0x1a0 + ? trace_hardirqs_on_thunk+0x1a/0x1c + entry_SYSCALL_64_fastpath+0x1e/0x8b +RIP: 0033:0x433549 +RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 +======================================================================= + +Cc: syzkaller +Cc: # 3.13 +Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") +Reported-by: Noa Osherovich +Reviewed-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/cq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -1177,7 +1177,12 @@ static int resize_user(struct mlx5_ib_de + if (ucmd.reserved0 || ucmd.reserved1) + return -EINVAL; + +- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, ++ /* check multiplication overflow */ ++ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) ++ return -EINVAL; ++ ++ umem = ib_umem_get(context, ucmd.buf_addr, ++ (size_t)ucmd.cqe_size * entries, + IB_ACCESS_LOCAL_WRITE, 1); + if (IS_ERR(umem)) { + err = PTR_ERR(umem); diff --git a/queue-4.15/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch b/queue-4.15/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch new file mode 100644 index 00000000000..332a6437acf --- /dev/null +++ b/queue-4.15/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch @@ -0,0 +1,34 @@ +From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 18:49:16 +0200 +Subject: RDMA/ucma: Check that user doesn't overflow QP state + +From: Leon Romanovsky + +commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream. + +The QP state is limited and declared in enum ib_qp_state, +but ucma user was able to supply any possible (u32) value. + +Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com +Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1148,6 +1148,9 @@ static ssize_t ucma_init_qp_attr(struct + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (cmd.qp_state > IB_QPS_ERR) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); diff --git a/queue-4.15/rdma-ucma-limit-possible-option-size.patch b/queue-4.15/rdma-ucma-limit-possible-option-size.patch new file mode 100644 index 00000000000..71370814d96 --- /dev/null +++ b/queue-4.15/rdma-ucma-limit-possible-option-size.patch @@ -0,0 +1,39 @@ +From 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 14:49:09 +0200 +Subject: RDMA/ucma: Limit possible option size + +From: Leon Romanovsky + +commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. + +Users of ucma are supposed to provide size of option level, +in most paths it is supposed to be equal to u8 or u16, but +it is not the case for the IB path record, where it can be +multiple of struct ib_path_rec_data. + +This patch takes simplest possible approach and prevents providing +values more than possible to allocate. + +Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com +Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1293,6 +1293,9 @@ static ssize_t ucma_set_option(struct uc + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + ++ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { diff --git a/queue-4.15/series b/queue-4.15/series new file mode 100644 index 00000000000..9c342c6b612 --- /dev/null +++ b/queue-4.15/series @@ -0,0 +1,3 @@ +rdma-ucma-limit-possible-option-size.patch +rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch +rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch diff --git a/queue-4.4/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch b/queue-4.4/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch new file mode 100644 index 00000000000..70a092015c2 --- /dev/null +++ b/queue-4.4/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch @@ -0,0 +1,87 @@ +From 28e9091e3119933c38933cb8fc48d5618eb784c8 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 15:29:09 +0200 +Subject: RDMA/mlx5: Fix integer overflow while resizing CQ + +From: Leon Romanovsky + +commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream. + +The user can provide very large cqe_size which will cause to integer +overflow as it can be seen in the following UBSAN warning: + +======================================================================= +UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 +signed integer overflow: +64870 * 65536 cannot be represented in type 'int' +CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware +name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xde/0x164 + ? dma_virt_map_sg+0x22c/0x22c + ubsan_epilogue+0xe/0x81 + handle_overflow+0x1f3/0x251 + ? __ubsan_handle_negate_overflow+0x19b/0x19b + ? lock_acquire+0x440/0x440 + mlx5_ib_resize_cq+0x17e7/0x1e40 + ? cyc2ns_read_end+0x10/0x10 + ? native_read_msr_safe+0x6c/0x9b + ? cyc2ns_read_end+0x10/0x10 + ? mlx5_ib_modify_cq+0x220/0x220 + ? sched_clock_cpu+0x18/0x200 + ? lookup_get_idr_uobject+0x200/0x200 + ? rdma_lookup_get_uobject+0x145/0x2f0 + ib_uverbs_resize_cq+0x207/0x3e0 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ib_uverbs_write+0x7f9/0xef0 + ? cyc2ns_read_end+0x10/0x10 + ? print_irqtrace_events+0x280/0x280 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ? uverbs_devnode+0x110/0x110 + ? sched_clock_cpu+0x18/0x200 + ? do_raw_spin_trylock+0x100/0x100 + ? __lru_cache_add+0x16e/0x290 + __vfs_write+0x10d/0x700 + ? uverbs_devnode+0x110/0x110 + ? kernel_read+0x170/0x170 + ? sched_clock_cpu+0x18/0x200 + ? security_file_permission+0x93/0x260 + vfs_write+0x1b0/0x550 + SyS_write+0xc7/0x1a0 + ? SyS_read+0x1a0/0x1a0 + ? trace_hardirqs_on_thunk+0x1a/0x1c + entry_SYSCALL_64_fastpath+0x1e/0x8b +RIP: 0033:0x433549 +RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 +======================================================================= + +Cc: syzkaller +Cc: # 3.13 +Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") +Reported-by: Noa Osherovich +Reviewed-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/cq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -972,7 +972,12 @@ static int resize_user(struct mlx5_ib_de + if (ucmd.reserved0 || ucmd.reserved1) + return -EINVAL; + +- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, ++ /* check multiplication overflow */ ++ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) ++ return -EINVAL; ++ ++ umem = ib_umem_get(context, ucmd.buf_addr, ++ (size_t)ucmd.cqe_size * entries, + IB_ACCESS_LOCAL_WRITE, 1); + if (IS_ERR(umem)) { + err = PTR_ERR(umem); diff --git a/queue-4.4/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch b/queue-4.4/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch new file mode 100644 index 00000000000..a3a757020ae --- /dev/null +++ b/queue-4.4/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch @@ -0,0 +1,34 @@ +From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 18:49:16 +0200 +Subject: RDMA/ucma: Check that user doesn't overflow QP state + +From: Leon Romanovsky + +commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream. + +The QP state is limited and declared in enum ib_qp_state, +but ucma user was able to supply any possible (u32) value. + +Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com +Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1138,6 +1138,9 @@ static ssize_t ucma_init_qp_attr(struct + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (cmd.qp_state > IB_QPS_ERR) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); diff --git a/queue-4.4/rdma-ucma-limit-possible-option-size.patch b/queue-4.4/rdma-ucma-limit-possible-option-size.patch new file mode 100644 index 00000000000..03626af4bad --- /dev/null +++ b/queue-4.4/rdma-ucma-limit-possible-option-size.patch @@ -0,0 +1,39 @@ +From 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 14:49:09 +0200 +Subject: RDMA/ucma: Limit possible option size + +From: Leon Romanovsky + +commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. + +Users of ucma are supposed to provide size of option level, +in most paths it is supposed to be equal to u8 or u16, but +it is not the case for the IB path record, where it can be +multiple of struct ib_path_rec_data. + +This patch takes simplest possible approach and prevents providing +values more than possible to allocate. + +Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com +Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1274,6 +1274,9 @@ static ssize_t ucma_set_option(struct uc + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + ++ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..9c342c6b612 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,3 @@ +rdma-ucma-limit-possible-option-size.patch +rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch +rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch diff --git a/queue-4.9/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch b/queue-4.9/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch new file mode 100644 index 00000000000..bf419eeab5c --- /dev/null +++ b/queue-4.9/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch @@ -0,0 +1,87 @@ +From 28e9091e3119933c38933cb8fc48d5618eb784c8 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 15:29:09 +0200 +Subject: RDMA/mlx5: Fix integer overflow while resizing CQ + +From: Leon Romanovsky + +commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream. + +The user can provide very large cqe_size which will cause to integer +overflow as it can be seen in the following UBSAN warning: + +======================================================================= +UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 +signed integer overflow: +64870 * 65536 cannot be represented in type 'int' +CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware +name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xde/0x164 + ? dma_virt_map_sg+0x22c/0x22c + ubsan_epilogue+0xe/0x81 + handle_overflow+0x1f3/0x251 + ? __ubsan_handle_negate_overflow+0x19b/0x19b + ? lock_acquire+0x440/0x440 + mlx5_ib_resize_cq+0x17e7/0x1e40 + ? cyc2ns_read_end+0x10/0x10 + ? native_read_msr_safe+0x6c/0x9b + ? cyc2ns_read_end+0x10/0x10 + ? mlx5_ib_modify_cq+0x220/0x220 + ? sched_clock_cpu+0x18/0x200 + ? lookup_get_idr_uobject+0x200/0x200 + ? rdma_lookup_get_uobject+0x145/0x2f0 + ib_uverbs_resize_cq+0x207/0x3e0 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ib_uverbs_write+0x7f9/0xef0 + ? cyc2ns_read_end+0x10/0x10 + ? print_irqtrace_events+0x280/0x280 + ? ib_uverbs_ex_create_cq+0x250/0x250 + ? uverbs_devnode+0x110/0x110 + ? sched_clock_cpu+0x18/0x200 + ? do_raw_spin_trylock+0x100/0x100 + ? __lru_cache_add+0x16e/0x290 + __vfs_write+0x10d/0x700 + ? uverbs_devnode+0x110/0x110 + ? kernel_read+0x170/0x170 + ? sched_clock_cpu+0x18/0x200 + ? security_file_permission+0x93/0x260 + vfs_write+0x1b0/0x550 + SyS_write+0xc7/0x1a0 + ? SyS_read+0x1a0/0x1a0 + ? trace_hardirqs_on_thunk+0x1a/0x1c + entry_SYSCALL_64_fastpath+0x1e/0x8b +RIP: 0033:0x433549 +RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 +======================================================================= + +Cc: syzkaller +Cc: # 3.13 +Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") +Reported-by: Noa Osherovich +Reviewed-by: Yishai Hadas +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/cq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -1117,7 +1117,12 @@ static int resize_user(struct mlx5_ib_de + if (ucmd.reserved0 || ucmd.reserved1) + return -EINVAL; + +- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, ++ /* check multiplication overflow */ ++ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) ++ return -EINVAL; ++ ++ umem = ib_umem_get(context, ucmd.buf_addr, ++ (size_t)ucmd.cqe_size * entries, + IB_ACCESS_LOCAL_WRITE, 1); + if (IS_ERR(umem)) { + err = PTR_ERR(umem); diff --git a/queue-4.9/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch b/queue-4.9/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch new file mode 100644 index 00000000000..1ece65b4f26 --- /dev/null +++ b/queue-4.9/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch @@ -0,0 +1,34 @@ +From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 18:49:16 +0200 +Subject: RDMA/ucma: Check that user doesn't overflow QP state + +From: Leon Romanovsky + +commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream. + +The QP state is limited and declared in enum ib_qp_state, +but ucma user was able to supply any possible (u32) value. + +Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com +Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1139,6 +1139,9 @@ static ssize_t ucma_init_qp_attr(struct + if (copy_from_user(&cmd, inbuf, sizeof(cmd))) + return -EFAULT; + ++ if (cmd.qp_state > IB_QPS_ERR) ++ return -EINVAL; ++ + ctx = ucma_get_ctx(file, cmd.id); + if (IS_ERR(ctx)) + return PTR_ERR(ctx); diff --git a/queue-4.9/rdma-ucma-limit-possible-option-size.patch b/queue-4.9/rdma-ucma-limit-possible-option-size.patch new file mode 100644 index 00000000000..d813e674344 --- /dev/null +++ b/queue-4.9/rdma-ucma-limit-possible-option-size.patch @@ -0,0 +1,39 @@ +From 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 7 Mar 2018 14:49:09 +0200 +Subject: RDMA/ucma: Limit possible option size + +From: Leon Romanovsky + +commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. + +Users of ucma are supposed to provide size of option level, +in most paths it is supposed to be equal to u8 or u16, but +it is not the case for the IB path record, where it can be +multiple of struct ib_path_rec_data. + +This patch takes simplest possible approach and prevents providing +values more than possible to allocate. + +Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com +Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1275,6 +1275,9 @@ static ssize_t ucma_set_option(struct uc + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + ++ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ return -EINVAL; ++ + optval = memdup_user((void __user *) (unsigned long) cmd.optval, + cmd.optlen); + if (IS_ERR(optval)) { diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..9c342c6b612 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,3 @@ +rdma-ucma-limit-possible-option-size.patch +rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch +rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch -- 2.47.3