Date: Wed, 12 Dec 2018 12:00:51 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r341920 - stable/11/sys/dev/mlx5/mlx5_ib Message-ID: <201812121200.wBCC0pSf064333@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Wed Dec 12 12:00:51 2018 New Revision: 341920 URL: https://svnweb.freebsd.org/changeset/base/341920 Log: MFC r341553: mlx5: Fix integer overflow while resizing CQ The user can provide very large cqe_size which will cause to integer overflow. Linux commit: 28e9091e3119933c38933cb8fc48d5618eb784c8 Sponsored by: Mellanox Technologies Modified: stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c ============================================================================== --- stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 12 12:00:34 2018 (r341919) +++ stable/11/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 12 12:00:51 2018 (r341920) @@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812121200.wBCC0pSf064333>