diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-04-02 13:35:58 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-04-02 13:35:58 -0700 |
| commit | 06459fc02f53d8adf9ccd9111a6c434dd5b208cd (patch) | |
| tree | c45f953a86b9c5b36f78a478881321b70eb19a29 | |
| parent | 0a4812798fae4f6bfcaab51e31b3898ff5ea3108 (diff) | |
| parent | 8494057ab5e40df590ef6ef7d66324d3ae33356b (diff) | |
| download | ibft-06459fc02f53d8adf9ccd9111a6c434dd5b208cd.tar.gz | |
Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
Pull infiniband/rdma fix from Roland Dreier:
"Fix for exploitable integer overflow in uverbs interface"
* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic
| -rw-r--r-- | drivers/infiniband/core/umem.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c index aec7a6aa2951db..8c014b5dab4c82 100644 --- a/drivers/infiniband/core/umem.c +++ b/drivers/infiniband/core/umem.c @@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, if (dmasync) dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + /* + * If the combination of the addr and size requested for this memory + * region causes an integer overflow, return error. + */ + if ((PAGE_ALIGN(addr + size) <= size) || + (PAGE_ALIGN(addr + size) <= addr)) + return ERR_PTR(-EINVAL); + if (!can_do_mlock()) return ERR_PTR(-EPERM); |