RDMA/ucma: Limit possible option size

commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. Users of ucma are supposed to provide size of option level, in most paths it is supposed to be equal to u8 or u16, but it is not the case for the IB path record, where it can be multiple of struct ib_path_rec_data. This patch takes simplest possible approach and prevents providing values more than possible to allocate. Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") Signed-off-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Doug Ledford <dledford@redhat.com> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Leon Romanovsky <leonro@mellanox.com> 2018-03-07 14:49:09 +0200
committer: Ben Hutchings <ben@decadent.org.uk> 2018-06-01 00:30:20 +0100
commit: 225c79af589fd48a19c42e9f50cfa05a24815bda (patch)
tree: be383b4e3635f7bbfbc72ad4d3451314af23a109
parent: 4d2a62907278533789973df7b28f404c17b3988c (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 91e82b7dadfa..79d03330cc57 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1000,6 +1000,9 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
 	if (IS_ERR(ctx))
 		return PTR_ERR(ctx);
 
+	if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
+		return -EINVAL;
+
 	optval = kmalloc(cmd.optlen, GFP_KERNEL);
 	if (!optval) {
 		ret = -ENOMEM;
author	Leon Romanovsky <leonro@mellanox.com>	2018-03-07 14:49:09 +0200
committer	Ben Hutchings <ben@decadent.org.uk>	2018-06-01 00:30:20 +0100
commit	225c79af589fd48a19c42e9f50cfa05a24815bda (patch)
tree	be383b4e3635f7bbfbc72ad4d3451314af23a109
parent	4d2a62907278533789973df7b28f404c17b3988c (diff)