In the Linux kernel, the following vulnerability has been resolved:
RDMA/uverbs: Prevent integer overflow issue
In the expression "cmd.wqe_size * cmd.wr_count", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to uverbs_request_next_ptr() which also could potentially wrap. The "cmd.sge_count * sizeof(struct ib_uverbs_sge)" multiplication can also overflow on 32bit systems although it's fine on 64bit systems.
This patch does two things. First, I've re-arranged the condition in uverbs_request_next_ptr() so that the use controlled variable "len" is on one side of the comparison by itself without any math. Then I've modified all the callers to use size_mul() for the multiplications.
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | 2.6.15 | 5.4.289 |
| linux / linux_kernel | 5.11 | 5.15.176 |
| linux / linux_kernel | 5.16 | 6.1.124 |
| linux / linux_kernel | 5.5 | 5.10.233 |
| linux / linux_kernel | 6.13-rc1 | 6.13-rc1.x |
| linux / linux_kernel | 6.13-rc2 | 6.13-rc2.x |
| linux / linux_kernel | 6.13-rc3 | 6.13-rc3.x |
| linux / linux_kernel | 6.13-rc4 | 6.13-rc4.x |
| linux / linux_kernel | 6.13-rc5 | 6.13-rc5.x |
| linux / linux_kernel | 6.2 | 6.6.70 |
| linux / linux_kernel | 6.7 | 6.12.9 |