[kernel] CVE-2014-8159 infiniband: uverbs: unprotected physical memory access (rhbz 1181166 1200950)

Josh Boyer jwboyer at fedoraproject.org
Thu Mar 12 12:50:50 UTC 2015 

commit 32dcd3a968405b9678a538d951a0789e8eeb51ea
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Thu Mar 12 08:47:38 2015 -0400

    CVE-2014-8159 infiniband: uverbs: unprotected physical memory access (rhbz 1181166 1200950)

 ...vent-integer-overflow-in-ib_umem_get-addr.patch | 47 ++++++++++++++++++++++
 kernel.spec                                        |  9 +++++
 2 files changed, 56 insertions(+)
---
diff --git a/IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch b/IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
new file mode 100644
index 0000000..8f51675
--- /dev/null
+++ b/IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
@@ -0,0 +1,47 @@
+From: Shachar Raindel <raindel at mellanox.com>
+Date: Sun, 4 Jan 2015 18:30:32 +0200
+Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address
+ arithmetic
+
+Properly verify that the resulting page aligned end address is larger
+than both the start address and the length of the memory area
+requested.
+
+Both the start and length arguments for ib_umem_get are controlled by
+the user. A misbehaving user can provide values which will cause an
+integer overflow when calculating the page aligned end address.
+
+This overflow can cause also miscalculation of the number of pages
+mapped, and additional logic issues.
+
+Issue: 470602
+Change-Id: Iee88441db454af291fc5a376009d840603398d23
+Signed-off-by: Shachar Raindel <raindel at mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm at mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz at mellanox.com>
+---
+ drivers/infiniband/core/umem.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index aec7a6aa2951..8c014b5dab4c 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -99,6 +99,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
+ 	if (dmasync)
+ 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ 
++	/*
++	 * If the combination of the addr and size requested for this memory
++	 * region causes an integer overflow, return error.
++	 */
++	if ((PAGE_ALIGN(addr + size) <= size) ||
++	    (PAGE_ALIGN(addr + size) <= addr))
++		return ERR_PTR(-EINVAL);
++
+ 	if (!can_do_mlock())
+ 		return ERR_PTR(-EPERM);
+ 
+-- 
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 515a052..b37678f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -654,6 +654,9 @@ Patch26164: Revert-Input-synaptics-use-dmax-in-input_mt_assign_s.patch
 #CVE-2015-2150 rhbz 1196266 1200397
 Patch26165: xen-pciback-limit-guest-control-of-command-register.patch
 
+#CVE-2014-8159 rhbz 1181166 1200950
+Patch26167: IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1412,6 +1415,9 @@ ApplyPatch Revert-Input-synaptics-use-dmax-in-input_mt_assign_s.patch
 #CVE-2015-2150 rhbz 1196266 1200397
 ApplyPatch xen-pciback-limit-guest-control-of-command-register.patch
 
+#CVE-2014-8159 rhbz 1181166 1200950
+ApplyPatch IB-core-Prevent-integer-overflow-in-ib_umem_get-addr.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2269,6 +2275,9 @@ fi
 #
 # 
 %changelog
+* Thu Mar 12 2015 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-8159 infiniband: uverbs: unprotected physical memory access (rhbz 1181166 1200950)
+
 * Wed Mar 11 2015 Josh Boyer <jwboyer at fedoraproject.org> - 4.0.0-0.rc3.git1.1
 - Linux v4.0-rc3-111-gaffb8172de39
 - CVE-2015-2150 xen: NMIs triggerable by guests (rhbz 1196266 1200397)

More information about the scm-commits mailing list