On Sun, Feb 25, 2018 at 01:39:49PM +0200, Leon Romanovsky wrote:
> From: Boris Pismenny <borisp@xxxxxxxxxxxx>
>
> This patch validates user provided input to prevent integer overflow due
> to integer manipulation in the mlx5_ib_create_srq function.
>
> Cc: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # 3.10
> Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
> Signed-off-by: Boris Pismenny <borisp@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
> drivers/infiniband/hw/mlx5/srq.c | 12 +++++++++---
> include/linux/mlx5/driver.h | 4 ++--
> 2 files changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/infiniband/hw/mlx5/srq.c b/drivers/infiniband/hw/mlx5/srq.c
> index 6d5fadad9090..d8c44c7f2dbe 100644
> +++ b/drivers/infiniband/hw/mlx5/srq.c
> @@ -241,8 +241,8 @@ struct ib_srq *mlx5_ib_create_srq(struct ib_pd *pd,
> {
> struct mlx5_ib_dev *dev = to_mdev(pd->device);
> struct mlx5_ib_srq *srq;
> - int desc_size;
> - int buf_size;
> + u32 desc_size;
> + u32 buf_size;
> int err;
> struct mlx5_srq_attr in = {0};
> __u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz);
> @@ -266,12 +266,18 @@ struct ib_srq *mlx5_ib_create_srq(struct ib_pd *pd,
>
> desc_size = sizeof(struct mlx5_wqe_srq_next_seg) +
> srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg);
> + if (desc_size == 0 || srq->msrq.max_gs > desc_size)
What is this doing?
overflow checks should use the divide technique as a later patch used,
not this weird thing..
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
