IB/uverbs: CVE-2014-8159

Prevent integer overflow in ib_umem_get address arithmetic
Fix for linux-qoriq 3.12.

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/
?id=refs%2Ftags%2Fv3.12.51&qt=grep&q=CVE-2014-8159

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Huimin She <huimin.she@enea.com>

2 files changed, 51 insertions, 0 deletions

diff --git a/recipes-kernel/linux/files/IB-uverbs-CVE-2014-8159.patch b/recipes-kernel/linux/files/IB-uverbs-CVE-2014-8159.patch
new file mode 100644
index 0000000..3b62549
--- /dev/null
+++ b/recipes-kernel/linux/files/IB-uverbs-CVE-2014-8159.patch
@@ -0,0 +1,50 @@
+Date: Wed, 18 Mar 2015 17:39:08 +0000
+Subject: IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic
+
+commit 8494057ab5e40df590ef6ef7d66324d3ae33356b upstream.
+
+Properly verify that the resulting page aligned end address is larger
+than both the start address and the length of the memory area requested.
+
+Both the start and length arguments for ib_umem_get are controlled by
+the user. A misbehaving user can provide values which will cause an
+integer overflow when calculating the page aligned end address.
+
+This overflow can cause also miscalculation of the number of pages
+mapped, and additional logic issues.
+
+Upstream-Status: Backport
+
+Addresses: CVE-2014-8159
+Signed-off-by: Shachar Raindel <raindel@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/infiniband/core/umem.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index a841123..055ebeb 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
+        if (dmasync)
+                dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ 
++       /*
++        * If the combination of the addr and size requested for this memory
++        * region causes an integer overflow, return error.
++        */
++       if ((PAGE_ALIGN(addr + size) <= size) ||
++           (PAGE_ALIGN(addr + size) <= addr))
++               return ERR_PTR(-EINVAL);
++
+        if (!can_do_mlock())
+                return ERR_PTR(-EPERM);
+ 
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index d99bdef..dc7eab2 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -4,6 +4,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
     file://0001-sdhci-fix-Timeout-error-messages.patch \
     file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \
     file://mm-CVE-2014-3122.patch \
+    file://IB-uverbs-CVE-2014-8159.patch \
     "
 
 SRC_URI += "file://cfg/00013-localversion.cfg \