diff options
-rw-r--r-- | IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch | 47 | ||||
-rw-r--r-- | kernel.spec | 9 |
2 files changed, 56 insertions, 0 deletions
diff --git a/IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch b/IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch new file mode 100644 index 000000000..8f51675ea --- /dev/null +++ b/IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch @@ -0,0 +1,47 @@ +From: Shachar Raindel <raindel@mellanox.com> +Date: Sun, 4 Jan 2015 18:30:32 +0200 +Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address + arithmetic + +Properly verify that the resulting page aligned end address is larger +than both the start address and the length of the memory area +requested. + +Both the start and length arguments for ib_umem_get are controlled by +the user. A misbehaving user can provide values which will cause an +integer overflow when calculating the page aligned end address. + +This overflow can cause also miscalculation of the number of pages +mapped, and additional logic issues. + +Issue: 470602 +Change-Id: Iee88441db454af291fc5a376009d840603398d23 +Signed-off-by: Shachar Raindel <raindel@mellanox.com> +Signed-off-by: Jack Morgenstein <jackm@mellanox.com> +Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> +--- + drivers/infiniband/core/umem.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c +index aec7a6aa2951..8c014b5dab4c 100644 +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, + if (dmasync) + dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + ++ /* ++ * If the combination of the addr and size requested for this memory ++ * region causes an integer overflow, return error. ++ */ ++ if ((PAGE_ALIGN(addr + size) <= size) || ++ (PAGE_ALIGN(addr + size) <= addr)) ++ return ERR_PTR(-EINVAL); ++ + if (!can_do_mlock()) + return ERR_PTR(-EPERM); + +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index 515a052d9..b37678f8f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -654,6 +654,9 @@ Patch26164: Revert-Input-synaptics-use-dmax-in-input_mt_assign_s.patch #CVE-2015-2150 rhbz 1196266 1200397 Patch26165: xen-pciback-limit-guest-control-of-command-register.patch +#CVE-2014-8159 rhbz 1181166 1200950 +Patch26167: IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1412,6 +1415,9 @@ ApplyPatch Revert-Input-synaptics-use-dmax-in-input_mt_assign_s.patch #CVE-2015-2150 rhbz 1196266 1200397 ApplyPatch xen-pciback-limit-guest-control-of-command-register.patch +#CVE-2014-8159 rhbz 1181166 1200950 +ApplyPatch IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2269,6 +2275,9 @@ fi # # %changelog +* Thu Mar 12 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-8159 infiniband: uverbs: unprotected physical memory access (rhbz 1181166 1200950) + * Wed Mar 11 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.0.0-0.rc3.git1.1 - Linux v4.0-rc3-111-gaffb8172de39 - CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397) |