| From 647bf3d8a8e5777319da92af672289b2a6c4dc66 Mon Sep 17 00:00:00 2001 |
| From: Eyal Itkin <eyal.itkin@gmail.com> |
| Date: Tue, 7 Feb 2017 16:45:19 +0300 |
| Subject: [PATCH] IB/rxe: Fix mem_check_range integer overflow |
| |
| commit 647bf3d8a8e5777319da92af672289b2a6c4dc66 upstream. |
| |
| Update the range check to avoid integer-overflow in edge case. |
| Resolves CVE 2016-8636. |
| |
| Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: Leon Romanovsky <leonro@mellanox.com> |
| Signed-off-by: Doug Ledford <dledford@redhat.com> |
| |
| diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c |
| index d0faca294006..86a6585b847d 100644 |
| --- a/drivers/infiniband/sw/rxe/rxe_mr.c |
| +++ b/drivers/infiniband/sw/rxe/rxe_mr.c |
| @@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length) |
| |
| case RXE_MEM_TYPE_MR: |
| case RXE_MEM_TYPE_FMR: |
| - return ((iova < mem->iova) || |
| - ((iova + length) > (mem->iova + mem->length))) ? |
| - -EFAULT : 0; |
| + if (iova < mem->iova || |
| + length > mem->length || |
| + iova > mem->iova + mem->length - length) |
| + return -EFAULT; |
| + return 0; |
| |
| default: |
| return -EFAULT; |
| -- |
| 2.12.0 |
| |