diff options
| author | Yann Droneaud <ydroneaud@opteya.com> | 2014-03-10 23:06:27 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2014-04-30 16:23:22 +0100 |
| commit | a3ffdf42b198ba6a2e3427cd456f892aa89a36b4 (patch) | |
| tree | 278bf2636f5f984603de7d99609b473ce39d7ff3 /scripts/checkstack.pl | |
| parent | a9782df2240b10ebc8df587e5a7f574ef9f44f71 (diff) | |
| download | kernel_samsung_smdk4412-a3ffdf42b198ba6a2e3427cd456f892aa89a36b4.zip kernel_samsung_smdk4412-a3ffdf42b198ba6a2e3427cd456f892aa89a36b4.tar.gz kernel_samsung_smdk4412-a3ffdf42b198ba6a2e3427cd456f892aa89a36b4.tar.bz2 | |
IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL
commit 9d194d1025f463392feafa26ff8c2d8247f71be1 upstream.
In case of error while accessing to userspace memory, function
nes_create_qp() returns NULL instead of an error code wrapped through
ERR_PTR(). But NULL is not expected by ib_uverbs_create_qp(), as it
check for error with IS_ERR().
As page 0 is likely not mapped, it is going to trigger an Oops when
the kernel will try to dereference NULL pointer to access to struct
ib_qp's fields.
In some rare cases, page 0 could be mapped by userspace, which could
turn this bug to a vulnerability that could be exploited: the function
pointers in struct ib_device will be under userspace total control.
This was caught when using spatch (aka. coccinelle)
to rewrite calls to ib_copy_{from,to}_udata().
Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null
Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci
Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'scripts/checkstack.pl')
0 files changed, 0 insertions, 0 deletions