diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-02 12:21:38 +0100 |
---|---|---|
committer | Huimin She <huimin.she@enea.com> | 2015-12-03 10:58:16 +0100 |
commit | 0db36d5a6f3cdeee6b4fc1184241b96d772e9d46 (patch) | |
tree | 0079d660a73b3ee5e0e8ae44075bae2189ecdb78 | |
parent | 51e9248e1748fcd3992cf47f6ecf9a3cb776c998 (diff) | |
download | meta-enea-0db36d5a6f3cdeee6b4fc1184241b96d772e9d46.tar.gz |
IB/uverbs: CVE-2014-8159
Prevent integer overflow in ib_umem_get address arithmetic
Fix for linux-qoriq 3.12.
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/
?id=refs%2Ftags%2Fv3.12.51&qt=grep&q=CVE-2014-8159
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Huimin She <huimin.she@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/IB-uverbs-CVE-2014-8159.patch | 50 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq-common.inc | 1 |
2 files changed, 51 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/IB-uverbs-CVE-2014-8159.patch b/recipes-kernel/linux/files/IB-uverbs-CVE-2014-8159.patch new file mode 100644 index 0000000..3b62549 --- /dev/null +++ b/recipes-kernel/linux/files/IB-uverbs-CVE-2014-8159.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | Date: Wed, 18 Mar 2015 17:39:08 +0000 | ||
2 | Subject: IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic | ||
3 | |||
4 | commit 8494057ab5e40df590ef6ef7d66324d3ae33356b upstream. | ||
5 | |||
6 | Properly verify that the resulting page aligned end address is larger | ||
7 | than both the start address and the length of the memory area requested. | ||
8 | |||
9 | Both the start and length arguments for ib_umem_get are controlled by | ||
10 | the user. A misbehaving user can provide values which will cause an | ||
11 | integer overflow when calculating the page aligned end address. | ||
12 | |||
13 | This overflow can cause also miscalculation of the number of pages | ||
14 | mapped, and additional logic issues. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Addresses: CVE-2014-8159 | ||
19 | Signed-off-by: Shachar Raindel <raindel@mellanox.com> | ||
20 | Signed-off-by: Jack Morgenstein <jackm@mellanox.com> | ||
21 | Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> | ||
22 | Signed-off-by: Roland Dreier <roland@purestorage.com> | ||
23 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
24 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
25 | --- | ||
26 | drivers/infiniband/core/umem.c | 8 ++++++++ | ||
27 | 1 file changed, 8 insertions(+) | ||
28 | |||
29 | diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c | ||
30 | index a841123..055ebeb 100644 | ||
31 | --- a/drivers/infiniband/core/umem.c | ||
32 | +++ b/drivers/infiniband/core/umem.c | ||
33 | @@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr, | ||
34 | if (dmasync) | ||
35 | dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); | ||
36 | |||
37 | + /* | ||
38 | + * If the combination of the addr and size requested for this memory | ||
39 | + * region causes an integer overflow, return error. | ||
40 | + */ | ||
41 | + if ((PAGE_ALIGN(addr + size) <= size) || | ||
42 | + (PAGE_ALIGN(addr + size) <= addr)) | ||
43 | + return ERR_PTR(-EINVAL); | ||
44 | + | ||
45 | if (!can_do_mlock()) | ||
46 | return ERR_PTR(-EPERM); | ||
47 | |||
48 | -- | ||
49 | cgit v0.11.2 | ||
50 | |||
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index d99bdef..dc7eab2 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc | |||
@@ -4,6 +4,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \ | |||
4 | file://0001-sdhci-fix-Timeout-error-messages.patch \ | 4 | file://0001-sdhci-fix-Timeout-error-messages.patch \ |
5 | file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \ | 5 | file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \ |
6 | file://mm-CVE-2014-3122.patch \ | 6 | file://mm-CVE-2014-3122.patch \ |
7 | file://IB-uverbs-CVE-2014-8159.patch \ | ||
7 | " | 8 | " |
8 | 9 | ||
9 | SRC_URI += "file://cfg/00013-localversion.cfg \ | 10 | SRC_URI += "file://cfg/00013-localversion.cfg \ |