| From 647bf3d8a8e5777319da92af672289b2a6c4dc66 Mon Sep 17 00:00:00 2001 |
| From: Eyal Itkin <eyal.itkin@gmail.com> |
| Date: Tue, 7 Feb 2017 16:45:19 +0300 |
| Subject: IB/rxe: Fix mem_check_range integer overflow |
| |
| From: Eyal Itkin <eyal.itkin@gmail.com> |
| |
| commit 647bf3d8a8e5777319da92af672289b2a6c4dc66 upstream. |
| |
| Update the range check to avoid integer-overflow in edge case. |
| Resolves CVE 2016-8636. |
| |
| Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: Leon Romanovsky <leonro@mellanox.com> |
| Signed-off-by: Doug Ledford <dledford@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++--- |
| 1 file changed, 5 insertions(+), 3 deletions(-) |
| |
| --- a/drivers/infiniband/sw/rxe/rxe_mr.c |
| +++ b/drivers/infiniband/sw/rxe/rxe_mr.c |
| @@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, |
| |
| case RXE_MEM_TYPE_MR: |
| case RXE_MEM_TYPE_FMR: |
| - return ((iova < mem->iova) || |
| - ((iova + length) > (mem->iova + mem->length))) ? |
| - -EFAULT : 0; |
| + if (iova < mem->iova || |
| + length > mem->length || |
| + iova > mem->iova + mem->length - length) |
| + return -EFAULT; |
| + return 0; |
| |
| default: |
| return -EFAULT; |