On Sun, Mar 08, 2020 at 03:48:36AM +0000, Changming Liu wrote: > This email is sent because the previous one was rejected due to it was in html form. > > From: Changming Liu > Sent: Friday, March 6, 2020 8:50 PM > To: dledford@xxxxxxxxxx; jgg@xxxxxxxxxxxx > Cc: linux-rdma@xxxxxxxxxxxxxxx; yaohway@xxxxxxxxx > Subject: [bug report]infiniband: integer overflow in ib_uverbs_post_send > > Hi Doug and Jason: > Greetings, I'm a first year PhD student who is interested in the usage of UBSan in the linux kernel, and with some experiments I found that in > /drivers/infiniband/core/uverbs_cmd.c function ib_uverbs_post_send, there is a unsigned integer overflow which might cause undesired behavior. > > More specifically, the cmd structure, after the execution uverbs_request_start, are filled with data from user space. Then two __u32 integers in this structure are multiplied together as shown as followed, > > wqes = uverbs_request_next_ptr(&iter, cmd.wqe_size * cmd.wr_count); It doesn't matter, this is computing a __user pointer which is always used with copy_to_user. If the user overflows this multiply then they will get EFAULT instead of ENOSPC. In all cases copy_to_user will not allow the kernel to be harmed. Jason
