[PATCH 4.9 56/60] IB/rxe: Fix mem_check_range integer overflow

From: Greg Kroah-Hartman
Date: Mon Feb 13 2017 - 08:16:46 EST


4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eyal Itkin <eyal.itkin@xxxxxxxxx>

commit 647bf3d8a8e5777319da92af672289b2a6c4dc66 upstream.

Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.

Signed-off-by: Eyal Itkin <eyal.itkin@xxxxxxxxx>
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/infiniband/sw/rxe/rxe_mr.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/infiniband/sw/rxe/rxe_mr.c
+++ b/drivers/infiniband/sw/rxe/rxe_mr.c
@@ -59,9 +59,11 @@ int mem_check_range(struct rxe_mem *mem,

case RXE_MEM_TYPE_MR:
case RXE_MEM_TYPE_FMR:
- return ((iova < mem->iova) ||
- ((iova + length) > (mem->iova + mem->length))) ?
- -EFAULT : 0;
+ if (iova < mem->iova ||
+ length > mem->length ||
+ iova > mem->iova + mem->length - length)
+ return -EFAULT;
+ return 0;

default:
return -EFAULT;