On Fri, Jul 07, 2017 at 11:36:59AM -0400, Doug Ledford wrote:
> Upstream commit id in the rdma.git tree: 5ecce4c9b17b
>
> The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
> the port number from user input as part of its attributes and assumes
> it is valid. Down on the stack, that parameter is used to access kernel
> data structures. If the value is invalid, the kernel accesses memory
> it should not. To prevent this, verify the port number before using it.
>
> BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
> Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
>
> BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
> Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
>
> Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.2-v4.9
> Cc: <security@xxxxxxxxxx>
> Cc: Yevgeny Kliteynik <kliteyn@xxxxxxxxxxxx>
> Cc: Tziporet Koren <tziporet@xxxxxxxxxxxx>
> Cc: Alex Polak <alexpo@xxxxxxxxxxxx>
> Signed-off-by: Boris Pismenny <borisp@xxxxxxxxxxxx>
> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
> Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
> ---
>
> Modified from upstream commit: helper function rdma_is_port_valid does not
> exist in these kernel versions, so use manual comparisons instead.
>
Thanks for taking care of it.
Attachment:
signature.asc
Description: PGP signature