| From 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c Mon Sep 17 00:00:00 2001 |
| From: Leon Romanovsky <leonro@mellanox.com> |
| Date: Wed, 7 Mar 2018 14:49:09 +0200 |
| Subject: RDMA/ucma: Limit possible option size |
| |
| From: Leon Romanovsky <leonro@mellanox.com> |
| |
| commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. |
| |
| Users of ucma are supposed to provide size of option level, |
| in most paths it is supposed to be equal to u8 or u16, but |
| it is not the case for the IB path record, where it can be |
| multiple of struct ib_path_rec_data. |
| |
| This patch takes simplest possible approach and prevents providing |
| values more than possible to allocate. |
| |
| Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com |
| Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") |
| Signed-off-by: Leon Romanovsky <leonro@mellanox.com> |
| Signed-off-by: Doug Ledford <dledford@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/infiniband/core/ucma.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/drivers/infiniband/core/ucma.c |
| +++ b/drivers/infiniband/core/ucma.c |
| @@ -1293,6 +1293,9 @@ static ssize_t ucma_set_option(struct uc |
| if (IS_ERR(ctx)) |
| return PTR_ERR(ctx); |
| |
| + if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) |
| + return -EINVAL; |
| + |
| optval = memdup_user((void __user *) (unsigned long) cmd.optval, |
| cmd.optlen); |
| if (IS_ERR(optval)) { |
