39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
From: Eyal Itkin <eyal.itkin@gmail.com>
|
|
Date: Tue, 7 Feb 2017 16:45:19 +0300
|
|
Subject: IB/rxe: Fix mem_check_range integer overflow
|
|
Origin: https://git.kernel.org/linus/647bf3d8a8e5777319da92af672289b2a6c4dc66
|
|
|
|
Update the range check to avoid integer-overflow in edge case.
|
|
Resolves CVE 2016-8636.
|
|
|
|
Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
|
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
|
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
|
|
Signed-off-by: Doug Ledford <dledford@redhat.com>
|
|
---
|
|
drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++---
|
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
|
|
index d0faca294006..86a6585b847d 100644
|
|
--- a/drivers/infiniband/sw/rxe/rxe_mr.c
|
|
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
|
|
@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
|
|
|
|
case RXE_MEM_TYPE_MR:
|
|
case RXE_MEM_TYPE_FMR:
|
|
- return ((iova < mem->iova) ||
|
|
- ((iova + length) > (mem->iova + mem->length))) ?
|
|
- -EFAULT : 0;
|
|
+ if (iova < mem->iova ||
|
|
+ length > mem->length ||
|
|
+ iova > mem->iova + mem->length - length)
|
|
+ return -EFAULT;
|
|
+ return 0;
|
|
|
|
default:
|
|
return -EFAULT;
|
|
--
|
|
2.11.0
|
|
|