From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Wed, 17 Nov 2010 06:37:16 +0000 (+0000)
Subject: rds: Integer overflow in RDS cmsg handling
X-Git-Tag: firefly_0821_release~7613^2~3176^2~130
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=218854af84038d828a32f061858b1902ed2beec6;p=firefly-linux-kernel-4.4.55.git

rds: Integer overflow in RDS cmsg handling

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 8920f2a83327..4e37c1cbe8b2 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -567,7 +567,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
 		goto out;
 	}
 
-	if (args->nr_local > (u64)UINT_MAX) {
+	if (args->nr_local > UIO_MAXIOV) {
 		ret = -EMSGSIZE;
 		goto out;
 	}