From: Jiri Pirko <jpirko@redhat.com> Date: Mon, 15 Nov 2010 12:50:21 -0500 Subject: [net] rds: fix rds_iovec page count overflow Message-id: <20101115125020.GB2674@psychotron.brq.redhat.com> Patchwork-id: 29366 O-Subject: [RHEL5.6 patch] BZ647422 CVE-2010-3865 net: fix rds_iovec page count overflow Bugzilla: 647422 RH-Acked-by: Neil Horman <nhorman@redhat.com> RH-Acked-by: David S. Miller <davem@redhat.com> RH-Acked-by: Doug Ledford <dledford@redhat.com> BZ647422 https://bugzilla.redhat.com/show_bug.cgi?id=647422 Description: As reported by Thomas Pollet, the rdma page counting can overflow. We get the rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and shift them down to pages (so with a possible "+1" for an unaligned address). So each individual page count fits comfortably in an 'unsigned int' (not even close to overflowing into signed), but as they are added up, they might end up resulting in a signed return value. Which would be wrong. Catch the case of nr_pages turning negative, and return the appropriate error code. Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1b1f693d7ad6d193862dcb1118540a030c5e761f Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=2893377 Test status: tested with reproducer b.c on i686 (dell-pe1950-05.lab.bos.redhat.com) Jirka Signed-off-by: Jiri Pirko <jpirko@redhat.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/net/rds/rdma.c b/net/rds/rdma.c index 9c0e98a..115cd50 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -478,6 +478,15 @@ static struct rds_rdma_op *rds_rdma_prepare(struct rds_sock *rs, max_pages = max(nr, max_pages); nr_pages += nr; + + /* + * nr for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1, + * so nr_pages cannot overflow without first going negative. + */ + if ((int)nr_pages < 0) { + ret = -EINVAL; + goto out; + } } pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL);