| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250820112828.7364-1-sid@itb.spb.ru>
Date: Wed, 20 Aug 2025 14:28:28 +0300
From: Ivan Stepchenko <sid@....spb.ru>
To: Mustafa Ismail <mustafa.ismail@...el.com>
Cc: Ivan Stepchenko <sid@....spb.ru>,
Tatyana Nikolova <tatyana.e.nikolova@...el.com>,
Jason Gunthorpe <jgg@...pe.ca>,
Leon Romanovsky <leon@...nel.org>,
Shannon Nelson <sln@...main.com>,
Anjali Singhai Jain <anjali.singhai@...el.com>,
Faisal Latif <faisal.latif@...el.com>,
Doug Ledford <dledford@...hat.com>,
linux-rdma@...r.kernel.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH] RDMA/i40iw: Fix 32-bit overflow in i40iw_check_mem_contiguous()
pg_size and pg_idx are u32, so pg_size * pg_idx is computed in 32-bit
and wraps once the total offset reaches 4 GiB (e.g. 2 MiB pages at
pg_idx == 2048). The wrapped offset is then widened to u64, producing
a false negative: contiguous PBL entries are incorrectly reported
as non-contiguous.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Signed-off-by: Ivan Stepchenko <sid@....spb.ru>
---
drivers/infiniband/hw/irdma/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index da5a41b275d8..33831cd3ce1f 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -2366,7 +2366,7 @@ static bool irdma_check_mem_contiguous(u64 *arr, u32 npages, u32 pg_size)
u32 pg_idx;
for (pg_idx = 0; pg_idx < npages; pg_idx++) {
- if ((*arr + (pg_size * pg_idx)) != arr[pg_idx])
+ if ((*arr + ((u64)pg_size * pg_idx)) != arr[pg_idx])
return false;
}
--
2.39.5
Powered by blists - more mailing lists