| From foo@baz Sat Jan 13 10:51:05 CET 2018 |
| From: Mohamed Ghannam <simo.ghannam@gmail.com> |
| Date: Tue, 2 Jan 2018 19:44:34 +0000 |
| Subject: RDS: Heap OOB write in rds_message_alloc_sgs() |
| |
| From: Mohamed Ghannam <simo.ghannam@gmail.com> |
| |
| |
| [ Upstream commit c095508770aebf1b9218e77026e48345d719b17c ] |
| |
| When args->nr_local is 0, nr_pages gets also 0 due some size |
| calculation via rds_rm_size(), which is later used to allocate |
| pages for DMA, this bug produces a heap Out-Of-Bound write access |
| to a specific memory region. |
| |
| Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/rds/rdma.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/rds/rdma.c |
| +++ b/net/rds/rdma.c |
| @@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_ |
| |
| local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; |
| |
| + if (args->nr_local == 0) |
| + return -EINVAL; |
| + |
| /* figure out the number of pages in the vector */ |
| for (i = 0; i < args->nr_local; i++) { |
| if (copy_from_user(&vec, &local_vec[i], |
