Commit 5201953
RDMA/umad: Reject negative data_len in ib_umad_write
jira VULN-178538
cve CVE-2026-23243
commit-author YunJe Shin <yjshin0438@gmail.com>
commit 5551b02
upstream-diff |
cast second param `hdr_size(file) + hdr_len` in `check_sub_overflow`
call to size_t to match the type of the first param `count` to fix
build issue.
ib_umad_write computes data_len from user-controlled count and the
MAD header sizes. With a mismatched user MAD header size and RMPP
header length, data_len can become negative and reach ib_create_send_mad().
This can make the padding calculation exceed the segment size and trigger
an out-of-bounds memset in alloc_send_rmpp_list().
Add an explicit check to reject negative data_len before creating the
send buffer.
KASAN splat:
[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0
[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102
[ 211.365867] ib_create_send_mad+0xa01/0x11b0
[ 211.365887] ib_umad_write+0x853/0x1c80
Fixes: 2be8e3e ("IB/umad: Add P_Key index support")
Signed-off-by: YunJe Shin <ioerts@kookmin.ac.kr>
Link: https://patch.msgid.link/20260203100628.1215408-1-ioerts@kookmin.ac.kr
Signed-off-by: Leon Romanovsky <leon@kernel.org>
(cherry picked from commit 5551b02)
Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>1 parent 4a90f6c commit 5201953
1 file changed
Lines changed: 6 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
500 | 500 | | |
501 | 501 | | |
502 | 502 | | |
503 | | - | |
| 503 | + | |
| 504 | + | |
504 | 505 | | |
505 | 506 | | |
506 | 507 | | |
| |||
574 | 575 | | |
575 | 576 | | |
576 | 577 | | |
577 | | - | |
| 578 | + | |
| 579 | + | |
| 580 | + | |
| 581 | + | |
578 | 582 | | |
579 | 583 | | |
580 | 584 | | |
| |||
0 commit comments