summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2015-04-02 13:35:58 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2015-04-02 13:35:58 -0700
commit06459fc02f53d8adf9ccd9111a6c434dd5b208cd (patch)
treec45f953a86b9c5b36f78a478881321b70eb19a29 /drivers
parent0a4812798fae4f6bfcaab51e31b3898ff5ea3108 (diff)
parent8494057ab5e40df590ef6ef7d66324d3ae33356b (diff)
Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband
Pull infiniband/rdma fix from Roland Dreier: "Fix for exploitable integer overflow in uverbs interface" * tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband: IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic
Diffstat (limited to 'drivers')
-rw-r--r--drivers/infiniband/core/umem.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index aec7a6aa2951..8c014b5dab4c 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
if (dmasync)
dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ /*
+ * If the combination of the addr and size requested for this memory
+ * region causes an integer overflow, return error.
+ */
+ if ((PAGE_ALIGN(addr + size) <= size) ||
+ (PAGE_ALIGN(addr + size) <= addr))
+ return ERR_PTR(-EINVAL);
+
if (!can_do_mlock())
return ERR_PTR(-EPERM);