[PATCH 4.14-stable 0/2] Port upstream patch

List overview All Threads
Download

newer

older

stable-rc/queue/5.15 build: 179...

stable-rc/queue/4.4 build: 186...

mike.marciniszyn＠cornelisnetworks.com

4 Nov 2021 4 Nov '21

1:55 p.m.

From: Mike Marciniszyn mike.marciniszyn@cornelisnetworks.com

This series ports upstream commit:

d39bf40e55e6 ("IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields")

Gustavo A. R. Silva (1): IB/qib: Use struct_size() helper

Mike Marciniszyn (1): IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields

drivers/infiniband/hw/qib/qib_user_sdma.c | 35 ++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 10 deletions(-)

Show replies by date

mike.marciniszyn＠cornelisnetworks.com

4 Nov 4 Nov

1:55 p.m.

New subject: [PATCH 4.14-stable 1/2] IB/qib: Use struct_size() helper

From: "Gustavo A. R. Silva" gustavo@embeddedor.com

upstream commit 829ca44ecf60e9b6f83d0161a6ef10c1304c5060.

[Apply to 4.14.x]

Make use of the struct_size() helper instead of an open-coded version in order to avoid any potential type mistakes, in particular in the context in which this code is being used.

So, replace the following form:

sizeof(*pkt) + sizeof(pkt->addr[0])*n

with:

struct_size(pkt, addr, n)

Also, notice that variable size is unnecessary, hence it is removed.

This code was detected with the help of Coccinelle.

Backport notes: - Needed to include linux/overflow.h

Signed-off-by: Gustavo A. R. Silva gustavo@embeddedor.com Signed-off-by: Mike Marciniszyn mike.marciniszyn@cornelisnetworks.com Reviewed-by: Dennis Dalessandro dennis.dalessandro@intel.com Signed-off-by: Jason Gunthorpe jgg@mellanox.com --- drivers/infiniband/hw/qib/qib_user_sdma.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c index 926f3c8..ffb4257 100644 --- a/drivers/infiniband/hw/qib/qib_user_sdma.c +++ b/drivers/infiniband/hw/qib/qib_user_sdma.c @@ -41,6 +41,7 @@ #include <linux/rbtree.h> #include <linux/spinlock.h> #include <linux/delay.h> +#include <linux/overflow.h>

#include "qib.h" #include "qib_user_sdma.h" @@ -908,10 +909,11 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, }

if (frag_size) { - int pktsize, tidsmsize, n; + int tidsmsize, n; + size_t pktsize;

n = npages*((2*PAGE_SIZE/frag_size)+1); - pktsize = sizeof(*pkt) + sizeof(pkt->addr[0])*n; + pktsize = struct_size(pkt, addr, n);

/* * Determine if this is tid-sdma or just sdma.

-- 1.8.3.1

mike.marciniszyn＠cornelisnetworks.com

1:55 p.m.

New subject: [PATCH 4.14-stable 2/2] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields

From: Mike Marciniszyn mike.marciniszyn@cornelisnetworks.com

upstream commit d39bf40e55e666b5905fdbd46a0dced030ce87be.

[Apply to 4.14.x]

Overflowing either addrlimit or bytes_togo can allow userspace to trigger a buffer overflow of kernel memory. Check for overflows in all the places doing math on user controlled buffers.

Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters") Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisne... Reported-by: Ilja Van Sprundel ivansprundel@ioactive.com Reviewed-by: Dennis Dalessandro dennis.dalessandro@cornelisnetworks.com Signed-off-by: Mike Marciniszyn mike.marciniszyn@cornelisnetworks.com Signed-off-by: Dennis Dalessandro dennis.dalessandro@cornelisnetworks.com Signed-off-by: Jason Gunthorpe jgg@nvidia.com --- drivers/infiniband/hw/qib/qib_user_sdma.c | 33 +++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c index ffb4257..42329bb 100644 --- a/drivers/infiniband/hw/qib/qib_user_sdma.c +++ b/drivers/infiniband/hw/qib/qib_user_sdma.c @@ -607,7 +607,7 @@ static int qib_user_sdma_coalesce(const struct qib_devdata *dd, /* * How many pages in this iovec element? */ -static int qib_user_sdma_num_pages(const struct iovec *iov) +static size_t qib_user_sdma_num_pages(const struct iovec *iov) { const unsigned long addr = (unsigned long) iov->iov_base; const unsigned long len = iov->iov_len; @@ -663,7 +663,7 @@ static void qib_user_sdma_free_pkt_frag(struct device *dev, static int qib_user_sdma_pin_pages(const struct qib_devdata *dd, struct qib_user_sdma_queue *pq, struct qib_user_sdma_pkt *pkt, - unsigned long addr, int tlen, int npages) + unsigned long addr, int tlen, size_t npages) { struct page *pages[8]; int i, j; @@ -727,7 +727,7 @@ static int qib_user_sdma_pin_pkt(const struct qib_devdata *dd, unsigned long idx;

for (idx = 0; idx < niov; idx++) { - const int npages = qib_user_sdma_num_pages(iov + idx); + const size_t npages = qib_user_sdma_num_pages(iov + idx); const unsigned long addr = (unsigned long) iov[idx].iov_base;

ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr, @@ -829,8 +829,8 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, unsigned pktnw; unsigned pktnwc; int nfrags = 0; - int npages = 0; - int bytes_togo = 0; + size_t npages = 0; + size_t bytes_togo = 0; int tiddma = 0; int cfur;

@@ -890,7 +890,11 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd,

npages += qib_user_sdma_num_pages(&iov[idx]);

- bytes_togo += slen; + if (check_add_overflow(bytes_togo, slen, &bytes_togo) || + bytes_togo > type_max(typeof(pkt->bytes_togo))) { + ret = -EINVAL; + goto free_pbc; + } pktnwc += slen >> 2; idx++; nfrags++; @@ -909,8 +913,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, }

if (frag_size) { - int tidsmsize, n; - size_t pktsize; + size_t tidsmsize, n, pktsize, sz, addrlimit;

n = npages*((2*PAGE_SIZE/frag_size)+1); pktsize = struct_size(pkt, addr, n); @@ -928,14 +931,24 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd, else tidsmsize = 0;

- pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL); + if (check_add_overflow(pktsize, tidsmsize, &sz)) { + ret = -EINVAL; + goto free_pbc; + } + pkt = kmalloc(sz, GFP_KERNEL); if (!pkt) { ret = -ENOMEM; goto free_pbc; } pkt->largepkt = 1; pkt->frag_size = frag_size; - pkt->addrlimit = n + ARRAY_SIZE(pkt->addr); + if (check_add_overflow(n, ARRAY_SIZE(pkt->addr), + &addrlimit) || + addrlimit > type_max(typeof(pkt->addrlimit))) { + ret = -EINVAL; + goto free_pbc; + } + pkt->addrlimit = addrlimit;

if (tiddma) { char *tidsm = (char *)pkt + pktsize;

-- 1.8.3.1

Greg KH

2:11 p.m.

On Thu, Nov 04, 2021 at 09:55:43AM -0400, mike.marciniszyn@cornelisnetworks.com wrote:

...

From: Mike Marciniszyn mike.marciniszyn@cornelisnetworks.com

This series ports upstream commit:

d39bf40e55e6 ("IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields")

Gustavo A. R. Silva (1): IB/qib: Use struct_size() helper

Mike Marciniszyn (1): IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields

drivers/infiniband/hw/qib/qib_user_sdma.c | 35 ++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 10 deletions(-)

All now queued up, thanks!

greg k-h

1094

days inactive

1094

days old

linux-stable-mirror@lists.linaro.org

3 comments

participants

tags (0)

participants (2)

Greg KH
mike.marciniszyn＠cornelisnetworks.com