IB/core: Prevent integer overflow in ib_umem_get address arithmetic (CVE-2014-8159)
svn path=/dists/sid/linux/; revision=22471
This commit is contained in:
parent
6ede30f9f0
commit
cb90a912a0
|
@ -178,6 +178,8 @@ linux (3.16.7-ckt9-1) UNRELEASED; urgency=medium
|
||||||
* [armel/kirkwood] linux-image: Add versioned Breaks against flash-kernel,
|
* [armel/kirkwood] linux-image: Add versioned Breaks against flash-kernel,
|
||||||
to ensure that an FDT is appended to the image if needed (Closes: #781193)
|
to ensure that an FDT is appended to the image if needed (Closes: #781193)
|
||||||
* Revert "quota: Store maximum space limit in bytes" to avoid ABI change
|
* Revert "quota: Store maximum space limit in bytes" to avoid ABI change
|
||||||
|
* IB/core: Prevent integer overflow in ib_umem_get address arithmetic
|
||||||
|
(CVE-2014-8159)
|
||||||
|
|
||||||
-- Ian Campbell <ijc@debian.org> Wed, 18 Mar 2015 21:07:15 +0000
|
-- Ian Campbell <ijc@debian.org> Wed, 18 Mar 2015 21:07:15 +0000
|
||||||
|
|
||||||
|
|
38
debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
vendored
Normal file
38
debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
vendored
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
From: Shachar Raindel <raindel@mellanox.com>
|
||||||
|
Date: Sun, 04 Jan 2015 18:30:32 +0200
|
||||||
|
Subject: IB/core: Prevent integer overflow in ib_umem_get address arithmetic
|
||||||
|
Origin: https://marc.info/?l=oss-security&m=142672196502144&w=2
|
||||||
|
|
||||||
|
Properly verify that the resulting page aligned end address is larger
|
||||||
|
than both the start address and the length of the memory area
|
||||||
|
requested.
|
||||||
|
|
||||||
|
Both the start and length arguments for ib_umem_get are controlled by
|
||||||
|
the user. A misbehaving user can provide values which will cause an
|
||||||
|
integer overflow when calculating the page aligned end address.
|
||||||
|
|
||||||
|
This overflow can cause also miscalculation of the number of pages
|
||||||
|
mapped, and additional logic issues.
|
||||||
|
|
||||||
|
Signed-off-by: Shachar Raindel <raindel@mellanox.com>
|
||||||
|
Signed-off-by: Jack Morgenstein <jackm@mellanox.com>
|
||||||
|
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
|
||||||
|
---
|
||||||
|
|
||||||
|
--- a/drivers/infiniband/core/umem.c
|
||||||
|
+++ b/drivers/infiniband/core/umem.c
|
||||||
|
@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_uc
|
||||||
|
if (dmasync)
|
||||||
|
dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * If the combination of the addr and size requested for this memory
|
||||||
|
+ * region causes an integer overflow, return error.
|
||||||
|
+ */
|
||||||
|
+ if ((PAGE_ALIGN(addr + size) <= size) ||
|
||||||
|
+ (PAGE_ALIGN(addr + size) <= addr))
|
||||||
|
+ return ERR_PTR(-EINVAL);
|
||||||
|
+
|
||||||
|
if (!can_do_mlock())
|
||||||
|
return ERR_PTR(-EPERM);
|
||||||
|
|
|
@ -554,3 +554,5 @@ debian/perf-fix-abi-change-in-3.16.7-ckt6.patch
|
||||||
debian/mm-fix-pagecache_get_page-abi-change-in-3.16.7-ckt6.patch
|
debian/mm-fix-pagecache_get_page-abi-change-in-3.16.7-ckt6.patch
|
||||||
debian/tcp-fix-abi-change-in-3.16.7-ckt7.patch
|
debian/tcp-fix-abi-change-in-3.16.7-ckt7.patch
|
||||||
debian/usb-avoid-abi-change-in-3.16.7-ckt8.patch
|
debian/usb-avoid-abi-change-in-3.16.7-ckt8.patch
|
||||||
|
|
||||||
|
bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
|
||||||
|
|
Loading…
Reference in New Issue