From cb90a912a087fe401732b512907c2d7fa478317a Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Mon, 6 Apr 2015 17:06:28 +0000
Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address
 arithmetic (CVE-2014-8159)

svn path=/dists/sid/linux/; revision=22471
---
 debian/changelog                              |  2 +
 ...vent-integer-overflow-in-ib_umem_get.patch | 38 +++++++++++++++++++
 debian/patches/series                         |  2 +
 3 files changed, 42 insertions(+)
 create mode 100644 debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch

diff --git a/debian/changelog b/debian/changelog
index 790ddd142..aa44ab8b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -178,6 +178,8 @@ linux (3.16.7-ckt9-1) UNRELEASED; urgency=medium
   * [armel/kirkwood] linux-image: Add versioned Breaks against flash-kernel,
     to ensure that an FDT is appended to the image if needed (Closes: #781193)
   * Revert "quota: Store maximum space limit in bytes" to avoid ABI change
+  * IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+    (CVE-2014-8159)
 
  -- Ian Campbell <ijc@debian.org>  Wed, 18 Mar 2015 21:07:15 +0000
 
diff --git a/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch b/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
new file mode 100644
index 000000000..99ac0f3cf
--- /dev/null
+++ b/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
@@ -0,0 +1,38 @@
+From: Shachar Raindel <raindel@mellanox.com>
+Date: Sun, 04 Jan 2015 18:30:32 +0200
+Subject: IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+Origin: https://marc.info/?l=oss-security&m=142672196502144&w=2
+
+Properly verify that the resulting page aligned end address is larger
+than both the start address and the length of the memory area
+requested.
+
+Both the start and length arguments for ib_umem_get are controlled by
+the user. A misbehaving user can provide values which will cause an
+integer overflow when calculating the page aligned end address.
+
+This overflow can cause also miscalculation of the number of pages
+mapped, and additional logic issues.
+
+Signed-off-by: Shachar Raindel <raindel@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+---
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_uc
+ 	if (dmasync)
+ 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ 
++	/*
++	 * If the combination of the addr and size requested for this memory
++	 * region causes an integer overflow, return error.
++	 */
++	if ((PAGE_ALIGN(addr + size) <= size) ||
++	    (PAGE_ALIGN(addr + size) <= addr))
++		return ERR_PTR(-EINVAL);
++
+ 	if (!can_do_mlock())
+ 		return ERR_PTR(-EPERM);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index f845464ee..6b2cb22d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -554,3 +554,5 @@ debian/perf-fix-abi-change-in-3.16.7-ckt6.patch
 debian/mm-fix-pagecache_get_page-abi-change-in-3.16.7-ckt6.patch
 debian/tcp-fix-abi-change-in-3.16.7-ckt7.patch
 debian/usb-avoid-abi-change-in-3.16.7-ckt8.patch
+
+bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch