Skip to content
Permalink
Browse files

IB/rxe: Fix mem_check_range integer overflow

Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.

Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
  • Loading branch information...
Eyal Itkin authored and dledford committed Feb 7, 2017
1 parent 628f07d commit 647bf3d8a8e5777319da92af672289b2a6c4dc66
Showing with 5 additions and 3 deletions.
  1. +5 −3 drivers/infiniband/sw/rxe/rxe_mr.c
@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem, u64 iova, size_t length)

case RXE_MEM_TYPE_MR:
case RXE_MEM_TYPE_FMR:
return ((iova < mem->iova) ||
((iova + length) > (mem->iova + mem->length))) ?
-EFAULT : 0;
if (iova < mem->iova ||
length > mem->length ||
iova > mem->iova + mem->length - length)
return -EFAULT;
return 0;

default:
return -EFAULT;

0 comments on commit 647bf3d

Please sign in to comment.
You can’t perform that action at this time.