forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Boris Pismenny 5fd2bba08c RDMA/uverbs: Check port number supplied by user verbs cmds 
commit 5ecce4c9b1 upstream.

The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
the port number from user input as part of its attributes and assumes
it is valid. Down on the stack, that parameter is used to access kernel
data structures.  If the value is invalid, the kernel accesses memory
it should not.  To prevent this, verify the port number before using it.

BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313

BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819

Fixes: 67cdb40ca4 ("[IB] uverbs: Implement more commands")
Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
Cc: Tziporet Koren <tziporet@mellanox.com>
Cc: Alex Polak <alexpo@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-07-15 11:57:47 +02:00
..
accessibility
acpi ACPI / power: Avoid maybe-uninitialized warning 2017-04-27 09:09:33 +02:00
amba
android ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct 2016-11-10 16:36:33 +01:00
ata libata: apply MAX_SEC_1024 to all CX1-JB*-HP devices 2017-02-09 08:02:45 +01:00
atm
auxdisplay
base driver core: platform: fix race condition with driver_override 2017-07-15 11:57:44 +02:00
bcma bcma: use (get|put)_device when probing/removing device driver 2017-03-12 06:37:30 +01:00
block drbd: avoid redefinition of BITS_PER_PAGE 2017-05-08 07:46:01 +02:00
bluetooth Bluetooth: hci_intel: add missing tty-device sanity check 2017-05-20 14:27:02 +02:00
bus bus: vexpress-config: fix device reference leak 2017-01-19 20:17:22 +01:00
cdrom
char virtio_console: fix a crash in config_work_handler 2017-07-05 14:37:18 +02:00
clk clk: Make x86/ conditional on CONFIG_COMMON_CLK 2017-05-14 13:32:55 +02:00
clocksource clocksource/exynos_mct: Clear interrupt when cpu is shut down 2017-01-26 08:23:48 +01:00
connector
cpufreq cpufreq: s3c2416: double free on driver init error path 2017-07-05 14:37:22 +02:00
cpuidle ARM: cpuidle: Fix error return code 2016-10-16 17:36:15 +02:00
crypto crypto: caam - fix RNG deinstantiation error checking 2017-04-18 07:14:36 +02:00
dca
devfreq
dio
dma dmaengine: ep93xx: Always start from BASE0 2017-06-14 13:16:22 +02:00
dma-buf
edac EDAC: Increment correct counter in edac_inc_ue_error() 2016-09-07 08:32:41 +02:00
eisa
extcon extcon: max77843: Use correct size for reading the interrupt register 2016-05-04 14:48:54 -07:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-10 16:36:35 +01:00
firmware efi: Expose non-blocking set_variable() wrapper to efivars 2016-05-04 14:48:49 -07:00
fmc
fpga
gpio gpio: mpc8xxx: Correct irq handler function 2016-10-28 03:01:25 -04:00
gpu drm/virtio: don't leak bo on drm_gem_object_init failure 2017-07-15 11:57:45 +02:00
hid HID: i2c-hid: Add sleep between POWER ON and RESET 2017-07-05 14:37:20 +02:00
hsi
hv hv: don't reset hv_context.tsc_page on crash 2017-04-27 09:09:34 +02:00
hwmon hwmon: (g762) Fix overflows and crash seen when writing limit attributes 2017-01-12 11:22:48 +01:00
hwspinlock
hwtracing intel_th: Fix a deadlock in modprobing 2016-08-10 11:49:30 +02:00
i2c i2c: piix4: Fix request_region size 2017-06-17 06:39:36 +02:00
ide
idle intel_idle: Support for Intel Xeon Phi Processor x200 Product Family 2016-09-15 08:27:46 +02:00
iio iio: proximity: as3935: recalibrate RCO after resume 2017-06-26 07:13:09 +02:00
infiniband RDMA/uverbs: Check port number supplied by user verbs cmds 2017-07-15 11:57:47 +02:00
input Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list 2017-06-29 12:48:51 +02:00
iommu iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid() 2017-07-05 14:37:22 +02:00
ipack
irqchip xtensa: don't use linux IRQ #0 2017-06-17 06:39:38 +02:00
isdn isdn/gigaset: fix NULL-deref at probe 2017-03-26 12:13:19 +02:00
leds leds: ktd2692: avoid harmless maybe-uninitialized warning 2017-05-14 13:32:55 +02:00
lguest
lightnvm lightnvm: put bio before return 2016-09-24 10:07:35 +02:00
macintosh
mailbox
mcb mcb: Fixed bar number assignment for the gdd 2016-06-01 12:15:53 -07:00
md md: update slab_cache before releasing new stripes when stripes resizing 2017-05-25 14:30:08 +02:00
media pvrusb2: reduce stack usage pvr2_eeprom_analyze() 2017-06-26 07:13:09 +02:00
memory memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing 2016-07-27 09:47:35 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-28 03:01:35 -04:00
message
mfd mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode 2017-06-26 07:13:09 +02:00
misc drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR() 2017-06-26 07:13:10 +02:00
mmc mmc: sdhci-iproc: suppress spurious interrupt with Multiblock read 2017-06-07 12:06:00 +02:00
mtd mtd: bcm47xxpart: don't fail because of bit-flips 2017-07-05 14:37:18 +02:00
net ath10k: override CE5 config for QCA9377 2017-07-15 11:57:47 +02:00
nfc mei: bus: fix received data size check in NFC fixup 2016-11-18 10:48:36 +01:00
ntb ntb_transport: Pick an unused queue 2017-02-23 17:43:10 +01:00
nubus
nvdimm libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat 2017-04-21 09:30:06 +02:00
nvme nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too 2017-06-29 12:48:53 +02:00
nvmem nvmem: mxs-ocotp: fix buffer overflow in read 2016-05-11 11:21:21 +02:00
of of: Add check to of_scan_flat_dt() before accessing initial_boot_params 2017-06-29 12:48:52 +02:00
oprofile
parisc
parport parisc, parport_gsc: Fixes for printk continuation lines 2017-06-17 06:39:37 +02:00
pci PCI: Freeze PME scan before suspending devices 2017-05-25 14:30:17 +02:00
pcmcia pcmcia: db1xxx_ss: fix last irq_to_gpio user 2016-04-20 15:42:09 +09:00
perf drivers/perf: arm_pmu: Fix leak in error path 2016-10-07 15:23:41 +02:00
phy phy: qcom-usb-hs: Add depends on EXTCON 2017-05-14 13:32:57 +02:00
pinctrl pinctrl: sh-pfc: Update info pointer after SoC-specific init 2017-07-15 11:57:46 +02:00
platform platform/x86: ideapad-laptop: handle ACPI event 1 2017-07-05 14:37:19 +02:00
pnp PNP: Add Broadwell to Intel MCH size workaround 2016-08-16 09:30:48 +02:00
power power: supply: bq24190_charger: Handle fault before status on interrupt 2017-05-14 13:32:54 +02:00
powercap
pps pps: do not crash when failed to register 2016-08-10 11:49:25 +02:00
ps3
ptp
pwm pwm: pca9685: Fix period change with same duty cycle 2017-03-15 09:57:14 +08:00
rapidio
ras
regulator regulator: tps65023: Fix inverted core enable logic. 2017-05-25 14:30:09 +02:00
remoteproc remoteproc: Fix potential race condition in rproc_add 2016-08-20 18:09:20 +02:00
reset
rpmsg
rtc rtc: tegra: Implement clock handling 2017-04-21 09:30:07 +02:00
s390 s390/qeth: avoid null pointer dereference on OSN 2017-06-07 12:05:57 +02:00
sbus
scsi scsi: lpfc: avoid double free of resource identifiers 2017-07-05 14:37:20 +02:00
sfi
sh drivers: sh: Restore legacy clock domain on SuperH platforms 2016-03-09 15:34:49 -08:00
sn
soc soc: qcom/spm: shut up uninitialized variable warning 2016-09-24 10:07:42 +02:00
spi spi: davinci: use dma_mapping_error() 2017-07-05 14:37:20 +02:00
spmi
ssb ssb: Fix error routine when fallback SPROM fails 2017-01-09 08:07:42 +01:00
staging staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() 2017-06-26 07:13:09 +02:00
target iscsi-target: Reject immediate data underflow larger than SCSI transfer length 2017-06-29 12:48:52 +02:00
tc
thermal thermal: hwmon: Properly report critical temperature in sysfs 2017-01-09 08:07:44 +01:00
thunderbolt thunderbolt: Fix double free of drom buffer 2016-06-01 12:15:53 -07:00
tty serial: efm32: Fix parity management in 'efm32_uart_console_get_options()' 2017-06-26 07:13:09 +02:00
uio uio: fix dmem_region_start computation 2016-10-31 04:13:59 -06:00
usb USB: serial: qcserial: new Sierra Wireless EM7305 device ID 2017-07-15 11:57:46 +02:00
uwb uwb: fix device quirk on big-endian hosts 2017-05-25 14:30:17 +02:00
vfio vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null 2017-07-05 14:37:19 +02:00
vhost vhost/scsi: fix reuse of &vq->iov[out] in response 2016-09-15 08:27:53 +02:00
video xen, fbfront: fix connecting to backend 2017-04-21 09:30:06 +02:00
virt
virtio virtio_balloon: init 1st buffer in stats vq 2017-03-31 09:49:53 +02:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19 20:17:21 +01:00
w1 w1: ds2490: USB transfer buffers need to be DMAable 2017-03-12 06:37:29 +01:00
watchdog watchdog: bcm281xx: Fix use of uninitialized spinlock. 2017-07-05 14:37:21 +02:00
xen swiotlb-xen: update dev_addr after swapping pages 2017-07-05 14:37:18 +02:00
zorro
Kconfig
Makefile usb: Make sure usb/phy/of gets built-in 2017-05-20 14:26:59 +02:00