[kernel] r22471 - in dists/sid/linux/debian: . patches patches/bugfix/all

[Ben Hutchings]

Author: benh
Date: Mon Apr  6 17:06:28 2015
New Revision: 22471

Log:
IB/core: Prevent integer overflow in ib_umem_get address arithmetic (CVE-2014-8159)

Added:
   dists/sid/linux/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Mon Apr  6 16:54:31 2015	(r22470)
+++ dists/sid/linux/debian/changelog	Mon Apr  6 17:06:28 2015	(r22471)
@@ -178,6 +178,8 @@
   * [armel/kirkwood] linux-image: Add versioned Breaks against flash-kernel,
     to ensure that an FDT is appended to the image if needed (Closes: #781193)
   * Revert "quota: Store maximum space limit in bytes" to avoid ABI change
+  * IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+    (CVE-2014-8159)
 
  -- Ian Campbell <ijc at debian.org>  Wed, 18 Mar 2015 21:07:15 +0000
 

Added: dists/sid/linux/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch	Mon Apr  6 17:06:28 2015	(r22471)
@@ -0,0 +1,38 @@
+From: Shachar Raindel <raindel at mellanox.com>
+Date: Sun, 04 Jan 2015 18:30:32 +0200
+Subject: IB/core: Prevent integer overflow in ib_umem_get address arithmetic
+Origin: https://marc.info/?l=oss-security&m=142672196502144&w=2
+
+Properly verify that the resulting page aligned end address is larger
+than both the start address and the length of the memory area
+requested.
+
+Both the start and length arguments for ib_umem_get are controlled by
+the user. A misbehaving user can provide values which will cause an
+integer overflow when calculating the page aligned end address.
+
+This overflow can cause also miscalculation of the number of pages
+mapped, and additional logic issues.
+
+Signed-off-by: Shachar Raindel <raindel at mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm at mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz at mellanox.com>
+---
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_uc
+ 	if (dmasync)
+ 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ 
++	/*
++	 * If the combination of the addr and size requested for this memory
++	 * region causes an integer overflow, return error.
++	 */
++	if ((PAGE_ALIGN(addr + size) <= size) ||
++	    (PAGE_ALIGN(addr + size) <= addr))
++		return ERR_PTR(-EINVAL);
++
+ 	if (!can_do_mlock())
+ 		return ERR_PTR(-EPERM);
+ 

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Mon Apr  6 16:54:31 2015	(r22470)
+++ dists/sid/linux/debian/patches/series	Mon Apr  6 17:06:28 2015	(r22471)
@@ -554,3 +554,5 @@
 debian/mm-fix-pagecache_get_page-abi-change-in-3.16.7-ckt6.patch
 debian/tcp-fix-abi-change-in-3.16.7-ckt7.patch
 debian/usb-avoid-abi-change-in-3.16.7-ckt8.patch
+
+bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch