From 45e8e04819666c5ad4c4464f52d2bf59d3728bb5 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Thu, 28 Oct 2010 15:40:55 +0000 Subject: [PATCH] net: fix rds_iovec page count overflow BugLink: http://bugs.launchpad.net/bugs/709153 CVE-2010-3865 As reported by Thomas Pollet, the rdma page counting can overflow. We get the rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and shift them down to pages (so with a possible "+1" for an unaligned address). So each individual page count fits comfortably in an 'unsigned int' (not even close to overflowing into signed), but as they are added up, they might end up resulting in a signed return value. Which would be wrong. Catch the case of tot_pages turning negative, and return the appropriate error code. Reported-by: Thomas Pollet Signed-off-by: Linus Torvalds Signed-off-by: Andy Grover Signed-off-by: David S. Miller (backported from commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream) [v2: nr is unsigned in the old code] Signed-off-by: Stefan Bader --- net/rds/rdma.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index 6b09b94..ff5e3c9 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -473,6 +473,17 @@ static struct rds_rdma_op *rds_rdma_prepare(struct rds_sock *rs, max_pages = max(nr, max_pages); nr_pages += nr; + + /* + * nr for one entry in limited to (UINT_MAX>>PAGE_SHIFT)+1 + * so nr_pages cannot overflow without becoming bigger than + * INT_MAX first. If nr cannot overflow then max_pages should + * be ok. + */ + if (nr_pages > INT_MAX) { + ret = -EINVAL; + goto out; + } } pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL); -- 1.7.0.4