diff options
| author |   Jann Horn <jannh@google.com> | 2018-07-06 22:18:09 +0200 |
|---|---|---|
| committer |   Saeed Mahameed <saeedm@mellanox.com> | 2018-07-11 12:08:57 -0700 |
| commit | 31e33a5b41bb158f27c30e13b12d6e5e6513ea05 (patch) | |
| tree | 85eee11c59220deeb4139b913385e43e91be4ba2 /include/linux | |
| parent | net/mlx5: Add hardware definitions for dump_fill_mkey (diff) | |
| download | linux-dev-31e33a5b41bb158f27c30e13b12d6e5e6513ea05.tar.xz linux-dev-31e33a5b41bb158f27c30e13b12d6e5e6513ea05.zip | |
net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers
In general, accessing userspace memory beyond the length of the supplied
buffer in VFS read/write handlers can lead to both kernel memory corruption
(via kernel_read()/kernel_write(), which can e.g. be triggered via
sys_splice()) and privilege escalation inside userspace.
In this case, the affected files are in debugfs (and should therefore only
be accessible to root) and check that *pos is zero (which prevents the
sys_splice() trick). Therefore, this is not a security fix, but rather a
small cleanup.
For the read handlers, fix it by using simple_read_from_buffer() instead of
custom logic.
For the write handler, add a check.
changed in v2:
- also fix dbg_write()
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions