leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5ecce4c9b1
linux/drivers/infiniband/core
History
Boris Pismenny 5ecce4c9b1 RDMA/uverbs: Check port number supplied by user verbs cmds 
The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
the port number from user input as part of its attributes and assumes
it is valid. Down on the stack, that parameter is used to access kernel
data structures.  If the value is invalid, the kernel accesses memory
it should not.  To prevent this, verify the port number before using it.

BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313

BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819

Fixes: 67cdb40ca4 ("[IB] uverbs: Implement more commands")
Fixes: 189aba99e7 ("IB/uverbs: Extend modify_qp and support packet pacing")
Cc: <stable@vger.kernel.org> # v2.6.14+
Cc: <security@kernel.org>
Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
Cc: Tziporet Koren <tziporet@mellanox.com>
Cc: Alex Polak <alexpo@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-07-03 11:06:55 -04:00
..
addr.c IB/addr: Fix setting source address in addr6_resolve() 2017-06-07 14:34:19 -04:00
agent.c IB/core: Rename ib_destroy_ah to rdma_destroy_ah 2017-05-01 14:32:43 -04:00
agent.h IB/mad: Add final OPA MAD processing 2015-06-12 14:49:18 -04:00
cache.c IB/core: Add inline function to validate port 2017-01-27 14:33:59 -05:00
cgroup.c IB/core: added support to use rdma cgroup controller 2017-01-10 11:14:27 -05:00
cm_msgs.h IB/core: Fix unaligned accesses 2015-05-05 13:21:27 -04:00
cm.c RDMA/SA: Fix kernel panic in CMA request handler flow 2017-06-01 17:20:14 -04:00
cma_configfs.c IB/cma: Add default RoCE TOS to CMA configfs 2017-02-15 09:51:28 -05:00
cma.c RDMA/SA: Fix kernel panic in CMA request handler flow 2017-06-01 17:20:14 -04:00
core_priv.h RDMA/netlink: Reduce exposure of RDMA netlink functions 2017-06-01 17:20:11 -04:00
cq.c IB/cq: Don't process more than the given budget 2017-03-24 22:19:48 -04:00
device.c IB/core: Fix kernel crash during fail to initialize device 2017-04-21 12:26:05 -04:00
fmr_pool.c IB/fmr_pool: Convert the cleanup thread into kthread worker API 2017-04-25 14:24:17 -04:00
iwcm.c rdma_cm: add rdma_reject_msg() helper function 2016-12-14 11:38:28 -05:00
iwcm.h iw_cm: free cm_id resources on the last deref 2016-08-02 13:15:18 -04:00
iwpm_msg.c IB/core: Remove debug prints after allocation failure 2016-12-03 13:12:52 -05:00
iwpm_util.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
iwpm_util.h iwpm: crash fix for large connections test 2016-03-16 13:48:32 -04:00
mad_priv.h IB/mad: use CQ abstraction 2016-01-19 15:25:45 -05:00
mad_rmpp.c IB/core: Use rdma_ah_attr accessor functions 2017-05-01 14:32:43 -04:00
mad_rmpp.h
mad.c IB/core: Use rdma_ah_attr accessor functions 2017-05-01 14:32:43 -04:00
Makefile IB/core: Add idr based standard types 2017-04-05 13:28:04 -04:00
mr_pool.c IB/core: add a simple MR pool 2016-05-13 13:37:18 -04:00
multicast.c IB/core: Define 'ib' and 'roce' rdma_ah_attr types 2017-05-01 14:32:43 -04:00
netlink.c RDMA/netlink: Reduce exposure of RDMA netlink functions 2017-06-01 17:20:11 -04:00
opa_smi.h IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
packer.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
rdma_core.c IB/core: Nullify ib_uobject during allocation 2017-04-20 11:44:07 -04:00
rdma_core.h IB/core: Add support for fd objects 2017-04-05 13:28:04 -04:00
roce_gid_mgmt.c IB/core: Remove pointer casting from void to net_device 2017-02-15 09:51:28 -05:00
rw.c IB/core, RDMA RW API: Do not exceed QP SGE send limit 2016-08-02 12:02:41 -04:00
sa_query.c RDMA/SA: Fix kernel panic in CMA request handler flow 2017-06-01 17:20:14 -04:00
sa.h
smi.c IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
smi.h IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
sysfs.c IB/core: Add HDR speed enum 2017-04-21 12:29:31 -04:00
ucm.c char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
ucma.c IB/SA: Add OPA path record type 2017-05-01 14:39:02 -04:00
ud_header.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
umem_odp.c RDMA/umem: Fix missing mmap_sem in get umem ODP call 2017-06-01 17:20:13 -04:00
umem_rbtree.c IB/umem: Update on demand page (ODP) support 2017-02-14 11:41:17 -05:00
umem.c RDMA/core: not to set page dirty bit if it's already set. 2017-06-01 17:20:12 -04:00
user_mad.c char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
uverbs_cmd.c RDMA/uverbs: Check port number supplied by user verbs cmds 2017-07-03 11:06:55 -04:00
uverbs_main.c char/misc patches for 4.12-rc1 2017-05-04 19:15:35 -07:00
uverbs_marshall.c RDMA/uverbs: Declare local function static and add brackets to sizeof 2017-06-01 17:20:12 -04:00
uverbs_std_types.c IB/core: Rename ib_destroy_ah to rdma_destroy_ah 2017-05-01 14:32:43 -04:00
uverbs.h IB/core: Introduce drop flow specification 2017-04-21 12:26:05 -04:00
verbs.c IB/core: Define 'ib' and 'roce' rdma_ah_attr types 2017-05-01 14:32:43 -04:00