IB/core: Prevent integer overflow in ib_umem_get address arithmetic
Properly verify that the resulting page aligned end address is larger
than both the start address and the length of the memory area
requested.
Both the start and length arguments for ib_umem_get are controlled by
the user. A misbehaving user can provide values which will cause an
integer overflow when calculating the page aligned end address.
This overflow can cause also miscalculation of the number of pages
mapped, and additional logic issues.
Issue: 470602
Change-Id: Iee88441db454af291fc5a376009d840603398d23
Signed-off-by: Shachar Raindel <email address hidden>
Signed-off-by: Jack Morgenstein <email address hidden>
Signed-off-by: Or Gerlitz <email address hidden>
Signed-off-by: John Johansen <email address hidden>
CVE-2015-8159
BugLink: http://bugs.launchpad.net/bugs/1413741
Signed-off-by: Luis Henriques <email address hidden>
When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.
This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).
This would cause either a panic, or corrupt memory.
We didn't check length of rock ridge ER records before printing them.
Thus corrupted isofs image can cause us to access and print some memory
behind the buffer with obvious consequences.
Reported-and-tested-by: Carl Henrik Lunde <email address hidden>
CC: <email address hidden>
Signed-off-by: Jan Kara <email address hidden>
(cherry picked from commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696)
CVE-2014-9584
BugLink: http://bugs.launchpad.net/bugs/1409808
Signed-off-by: Luis Henriques <email address hidden>
Acked-by: Seth Forshee <email address hidden>
Acked-by: Colin King <email address hidden>
Signed-off-by: Brad Figg <email address hidden>