Date: Wed, 5 Dec 2018 13:40:06 +0000 (UTC) From: Slava Shwartsman <slavash@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r341553 - head/sys/dev/mlx5/mlx5_ib Message-ID: <201812051340.wB5De6DY076520@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: slavash Date: Wed Dec 5 13:40:05 2018 New Revision: 341553 URL: https://svnweb.freebsd.org/changeset/base/341553 Log: mlx5: Fix integer overflow while resizing CQ The user can provide very large cqe_size which will cause to integer overflow. Linux commit: 28e9091e3119933c38933cb8fc48d5618eb784c8 Approved by: hselasky (mentor) MFC after: 1 week Sponsored by: Mellanox Technologies Modified: head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Modified: head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c ============================================================================== --- head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 5 13:39:35 2018 (r341552) +++ head/sys/dev/mlx5/mlx5_ib/mlx5_ib_cq.c Wed Dec 5 13:40:05 2018 (r341553) @@ -1124,7 +1124,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812051340.wB5De6DY076520>