On Fri, Jul 07, 2017 at 11:36:59AM -0400, Doug Ledford wrote: > Upstream commit id in the rdma.git tree: 5ecce4c9b17b > > The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive > the port number from user input as part of its attributes and assumes > it is valid. Down on the stack, that parameter is used to access kernel > data structures. If the value is invalid, the kernel accesses memory > it should not. To prevent this, verify the port number before using it. > > BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0 > Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313 > > BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0 > Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819 > > Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands") > Cc: <stable@xxxxxxxxxxxxxxx> # v4.2-v4.9 > Cc: <security@xxxxxxxxxx> > Cc: Yevgeny Kliteynik <kliteyn@xxxxxxxxxxxx> > Cc: Tziporet Koren <tziporet@xxxxxxxxxxxx> > Cc: Alex Polak <alexpo@xxxxxxxxxxxx> > Signed-off-by: Boris Pismenny <borisp@xxxxxxxxxxxx> > Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx> > Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx> > --- > > Modified from upstream commit: helper function rdma_is_port_valid does not > exist in these kernel versions, so use manual comparisons instead. > Thanks for taking care of it.
Attachment:
signature.asc
Description: PGP signature