On Tue, 2017-02-07 at 16:45 +0300, Dan Carpenter wrote: > From: Eyal Itkin <eyal.itkin@xxxxxxxxx> > > Update the range check to avoid integer-overflow in edge case. > Resolves CVE 2016-8636. > > Signed-off-by: Eyal Itkin <eyal.itkin@xxxxxxxxx> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > v2: I completely misread Eyal's first patch. > > diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c > b/drivers/infiniband/sw/rxe/rxe_mr.c > index 8cf38b253c37..37eea7441ca4 100644 > --- a/drivers/infiniband/sw/rxe/rxe_mr.c > +++ b/drivers/infiniband/sw/rxe/rxe_mr.c > @@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, > size_t length) > > case RXE_MEM_TYPE_MR: > case RXE_MEM_TYPE_FMR: > - return ((iova < mem->iova) || > - ((iova + length) > (mem->iova + mem- > >length))) ? > - -EFAULT : 0; > + if (iova < mem->iova || > + length > mem->length || > + iova > mem->iova + mem->length - length) > + return -EFAULT; > + return 0; > > default: > return -EFAULT; Thanks, applied. -- Doug Ledford <dledford@xxxxxxxxxx> GPG KeyID: B826A3330E572FDD Key fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD
Attachment:
signature.asc
Description: This is a digitally signed message part
