]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
IB/rxe: Fix mem_check_range integer overflow
authorEyal Itkin <eyal.itkin@gmail.com>
Tue, 7 Feb 2017 13:45:19 +0000 (16:45 +0300)
committerDoug Ledford <dledford@redhat.com>
Wed, 8 Feb 2017 17:28:30 +0000 (12:28 -0500)
Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.

Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
drivers/infiniband/sw/rxe/rxe_mr.c

index d0faca294006f4f53a40ebcf40839f9758b52c09..86a6585b847df90f07256dd4027eeab426be7f77 100644 (file)
@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)
 
        case RXE_MEM_TYPE_MR:
        case RXE_MEM_TYPE_FMR:
-               return ((iova < mem->iova) ||
-                       ((iova + length) > (mem->iova + mem->length))) ?
-                       -EFAULT : 0;
+               if (iova < mem->iova ||
+                   length > mem->length ||
+                   iova > mem->iova + mem->length - length)
+                       return -EFAULT;
+               return 0;
 
        default:
                return -EFAULT;