From patchwork Tue Jan 2 19:44:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: simo.ghannam@gmail.com X-Patchwork-Id: 854723 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MgRbl/wK"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zB4K74q4wz9s9Y for ; Wed, 3 Jan 2018 06:44:59 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751300AbeABTo5 (ORCPT ); Tue, 2 Jan 2018 14:44:57 -0500 Received: from mail-wr0-f193.google.com ([209.85.128.193]:43138 "EHLO mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751014AbeABTo4 (ORCPT ); Tue, 2 Jan 2018 14:44:56 -0500 Received: by mail-wr0-f193.google.com with SMTP id w68so37102525wrc.10 for ; Tue, 02 Jan 2018 11:44:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:cc:subject:date; bh=x5OV+8/Udq1RoppTOxEPRSUrdwUDl53v+rH3PHW7KLw=; b=MgRbl/wKDw56g/dg7UOWdlL/l7hesE6z2LlUGkFwfnAYiXxL4Hk0jUnRskoQqo99fS sVS1Q0bFSYMPanW1FZlJNY0PR/PelhkM9jax63vfeEiWIXq0V0/fVy331J/aJH4Feb7a p3msP7rV7qVDl7jjgTWVFbY5iuy5E/PhOIDQtzJgN+I1qvaPoMlPvPjTTjxnDvD/xv8y wsXAfFfMPxHrdoUuSny2PskUBcTDsLU2IWAsmEAWngMGfUKdn9Clq4MbDOcToJeVi/Dg 5UDCoQSugsEKbxJYXYZpcW9FQZtoygZ3xc7QhobPZBXTYZ1spQqc/6ekKRhzkKbcdo2N o7rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:cc:subject:date; bh=x5OV+8/Udq1RoppTOxEPRSUrdwUDl53v+rH3PHW7KLw=; b=nkHAlMjDwoi/fJ7793WCIzwXLd3bFTzOi50rVoU1Ct/VurOukBIRa/20By1hDn3TeQ e+DQKYqYAalNn0hp/gK7RGmNAxUQkvCUkQJnR3dhpEXAoSS4lA0NwPfsrcMBCGkzFgVM Q9f7NIYq58shRONPyDBXdDGFwYkmeQM+p/w0QTId7VG91tHQL7NrhJx/pwZc66taihAw k09pijp8QZC94q2HLpwq9HG2Q6tcjUi3dWerafz1wXzkbeJj3nGQYL/gnskkq1Flrau/ HrkFvVrCEBxv+NZUnJF8nEhgwi9YUOqLtDUYtSCQIftQ33l/3nR6N4+VS86kG+tJIS5y GM0g== X-Gm-Message-State: AKGB3mJRSyBm0ec2Q1OfORT3ZIKRPS5+knXmoJ/O98KwINO0Rxd8Sl5A fRvypKRBeD59tMnfyIGctOKfgKOQ X-Google-Smtp-Source: ACJfBovE3Po52ssxceEd1KzgVWQn2VcoVgoa5AYV/lXGWbutkr5/Y1qVjqb1X9iKVu4ORVuehtdT6Q== X-Received: by 10.223.162.139 with SMTP id s11mr27544024wra.231.1514922294457; Tue, 02 Jan 2018 11:44:54 -0800 (PST) Received: from localhost.localdomain ([41.141.99.173]) by smtp.gmail.com with ESMTPSA id b18sm43365650wra.44.2018.01.02.11.44.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 02 Jan 2018 11:44:53 -0800 (PST) Message-ID: <5a4be135.1296df0a.90c9.baea@mx.google.com> X-Google-Original-Message-ID: <20180102194434.44912-1-simo.ghannam> From: simo.ghannam@gmail.com X-Google-Original-From: simo.ghannam To: netdev@vger.kernel.org Cc: Mohamed Ghannam Subject: [PATCH] RDS: Heap OOB write in rds_message_alloc_sgs() Date: Tue, 2 Jan 2018 19:44:34 +0000 X-Mailer: git-send-email 2.14.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Mohamed Ghannam When args->nr_local is 0, nr_pages gets also 0 due some size calculation via rds_rm_size(), which is later used to allocate pages for DMA, this bug produces a heap Out-Of-Bound write access to a specific memory region. Signed-off-by: Mohamed Ghannam --- net/rds/rdma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index bc2f1e0977d6..40a733566eb7 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args) local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; + if (args->nr_local == 0) + return -EINVAL; + /* figure out the number of pages in the vector */ for (i = 0; i < args->nr_local; i++) { if (copy_from_user(&vec, &local_vec[i],