Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4cf93bdb authored by Mohamed Ghannam's avatar Mohamed Ghannam Committed by Usaamah Patel
Browse files

CVE-2018-5332: RDS: Heap OOB write in rds_message_alloc_sgs() 



When args->nr_local is 0, nr_pages gets also 0 due some size
calculation via rds_rm_size(), which is later used to allocate
pages for DMA, this bug produces a heap Out-Of-Bound write access
to a specific memory region.

Change-Id: Ia146a87544c0c23f7ea7f72ac30544ac777d9323
Signed-off-by: default avatarMohamed Ghannam <simo.ghannam@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2338563c

net/rds/rdma.c

+3 −0
Original line number Diff line number Diff line
@@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args) 


	local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;



	if (args->nr_local == 0)

		return -EINVAL;



	/* figure out the number of pages in the vector */

	for (i = 0; i < args->nr_local; i++) {

		if (copy_from_user(&vec, &local_vec[i],