From patchwork Sun Apr  1 04:53:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rob Gardner <rob.gardner@oracle.com>
X-Patchwork-Id: 893906
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <sparclinux-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=sparclinux-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=oracle.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=oracle.com header.i=@oracle.com
	header.b="GTg8q127"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40DNKN5TBbz9s1s
	for <patchwork-incoming@ozlabs.org>;
	Sun,  1 Apr 2018 14:53:28 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750816AbeDAEx0 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sun, 1 Apr 2018 00:53:26 -0400
Received: from aserp2120.oracle.com ([141.146.126.78]:57918 "EHLO
	aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750710AbeDAEx0 (ORCPT
	<rfc822; sparclinux@vger.kernel.org>); Sun, 1 Apr 2018 00:53:26 -0400
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
	by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id
	w314qYLV078450; Sun, 1 Apr 2018 04:53:24 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
	h=from : to : cc :
	subject : date : message-id; s=corp-2017-10-26;
	bh=wt0VLQ0vX0gRAJZu6IhqQYmiM7us99gagY/vHdLeW1c=;
	b=GTg8q1278iwfjLgYU0et5hbPND8ot0zFcrrEqyw61TAJjwR/9qEVFvbPG4P+/Ztm5Sdw
	ERrvj2c2EwC+bJhrcEs6x22mG8ygXoFUYSlxYQU4QBbzEhh+gaePPpee+M8ymzPA10tt
	oE4Fd87vrGxxp7SuW7WTyz7VHcXAzHM6ZAJ+Zeu1IAEradjKfLAvVmOXDAzHsuFdtKc3
	+qwa71Up/jY3JT3acZDFe9CDkhD2ZwjRMhirgn0BH1Rwjaf4BmOqlUqJiXoIzSqQGGZP
	aCYdr+a6Yv0GokMm7qg2AN8/fKSWnLUYMKH7KyaSXl0KKwm1cHofR43BAvUCP0hNGhpS
	MQ==
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
	by aserp2120.oracle.com with ESMTP id 2h2rr78087-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Sun, 01 Apr 2018 04:53:24 +0000
Received: from ca-qasparc12.us.oracle.com (ca-qasparc12.us.oracle.com
	[10.147.25.210])
	by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w314rMJm010739;
	Sun, 1 Apr 2018 04:53:23 GMT
From: Rob Gardner <rob.gardner@oracle.com>
To: sparclinux@vger.kernel.org
Cc: torvalds@linux-foundation.org, Rob Gardner <rob.gardner@oracle.com>,
	Jonathan Helman <jonathan.helman@oracle.com>
Subject: [PATCH] sparc64: Properly range check DAX completion index
Date: Sat, 31 Mar 2018 22:53:01 -0600
Message-Id: <1522558381-31281-1-git-send-email-rob.gardner@oracle.com>
X-Mailer: git-send-email 1.7.1
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8849
	signatures=668697
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	suspectscore=1 malwarescore=0
	phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
	adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1711220000 definitions=main-1804010043
Sender: sparclinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <sparclinux.vger.kernel.org>
X-Mailing-List: sparclinux@vger.kernel.org

Each Oracle DAX CCB has a corresponding completion area, and the required
number of areas must fit within a previously allocated array of completion
areas beginning at the requested index.  Since the completion area index
is specified by a file offset, a user can pass arbitrary values, including
negative numbers. So the index must be thoroughly range checked to prevent
access to addresses outside the bounds of the allocated completion
area array.  The index cannot be negative, and it cannot exceed the
total array size, less the number of CCBs requested. The old code did
not check for negative values and was off by one on the upper bound.

Signed-off-by: Rob Gardner <rob.gardner@oracle.com>
Signed-off-by: Jonathan Helman <jonathan.helman@oracle.com>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 drivers/sbus/char/oradax.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/sbus/char/oradax.c b/drivers/sbus/char/oradax.c
index d8597d5..96b4ad7 100644
--- a/drivers/sbus/char/oradax.c
+++ b/drivers/sbus/char/oradax.c
@@ -880,7 +880,7 @@ static int dax_ccb_exec(struct dax_ctx *ctx, const char __user *buf,
 	dax_dbg("args: ccb_buf_len=%ld, idx=%d", count, idx);
 
 	/* for given index and length, verify ca_buf range exists */
-	if (idx + nccbs >= DAX_CA_ELEMS) {
+	if (idx < 0 || idx > (DAX_CA_ELEMS - nccbs)) {
 		ctx->result.exec.status = DAX_SUBMIT_ERR_NO_CA_AVAIL;
 		return 0;
 	}