Commit b7dd5edc authored Feb 07, 2017 by Eyal Itkin Committed by Greg Kroah-Hartman Feb 14, 2017

IB/rxe: Fix mem_check_range integer overflow



commit 647bf3d8a8e5777319da92af672289b2a6c4dc66 upstream.

Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.

Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 5476efee

drivers/infiniband/sw/rxe/rxe_mr.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)

		case RXE_MEM_TYPE_MR:
		case RXE_MEM_TYPE_FMR:
		return ((iova < mem->iova) \|\|
		((iova + length) > (mem->iova + mem->length))) ?
		-EFAULT : 0;
		if (iova < mem->iova \|\|
		length > mem->length \|\|
		iova > mem->iova + mem->length - length)
		return -EFAULT;
		return 0;

		default:
		return -EFAULT;