On Fri, 2017-03-24 at 15:55 -0400, Vlad Tsyrklevich wrote: > The 'num_sge' variable is verfied to be smaller than the 'sge_count' > variable; however, since both are user-controlled it's possible to cause > an integer overflow for the kmalloc multiply on 32-bit platforms > (num_sge and sge_count are both defined u32). By crafting an input that > causes a smaller-than-expected allocation it's possible to write > controlled data out-of-bounds. Hello Vlad, Do you think that an RDMA driver exists that supports a max_sge value that is large enough to cause this multiplication to overflow? Bart.-- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
