diff options
| author |   Michael J. Ruhl <michael.j.ruhl@intel.com> | 2017-07-24 07:46:42 -0700 |
|---|---|---|
| committer |   Doug Ledford <dledford@redhat.com> | 2017-07-31 15:18:37 -0400 |
| commit | f13a6e5e2e0192737c3bdbdb16c5cc0181cc86e5 (patch) | |
| tree | d2d4316f48919763916db9e769f58d8a35c10ad2 /drivers/infiniband/hw/hfi1/file_ops.c | |
| parent | IB/hfi1: Verify port data VLs credits on transition to Armed (diff) | |
| download | linux-dev-f13a6e5e2e0192737c3bdbdb16c5cc0181cc86e5.tar.xz linux-dev-f13a6e5e2e0192737c3bdbdb16c5cc0181cc86e5.zip | |
IB/hfi1: Split copy_to_user data copy for better security
A copy_to_user() call assumes that two members of a data structure
are sequential. Since this may not always be true, separate the copies
to ensure a safe copy.
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Diffstat (limited to '')
| -rw-r--r-- | drivers/infiniband/hw/hfi1/file_ops.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c index 7be75e0d4f7e..650c1e578775 100644 --- a/drivers/infiniband/hw/hfi1/file_ops.c +++ b/drivers/infiniband/hw/hfi1/file_ops.c @@ -268,12 +268,14 @@ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd, /* * Copy the number of tidlist entries we used * and the length of the buffer we registered. - * These fields are adjacent in the structure so - * we can copy them at the same time. */ addr = arg + offsetof(struct hfi1_tid_info, tidcnt); if (copy_to_user((void __user *)addr, &tinfo.tidcnt, - sizeof(tinfo.tidcnt) + + sizeof(tinfo.tidcnt))) + return -EFAULT; + + addr = arg + offsetof(struct hfi1_tid_info, length); + if (copy_to_user((void __user *)addr, &tinfo.length, sizeof(tinfo.length))) ret = -EFAULT; } |