git.baikalelectronics.ru Git - kernel.git/commit

author	Jann Horn <jannh@google.com>
	Fri, 6 Jul 2018 20:18:09 +0000 (22:18 +0200)
committer	Saeed Mahameed <saeedm@mellanox.com>
	Wed, 11 Jul 2018 19:08:57 +0000 (12:08 -0700)
commit	189ea04055c0b41d8649ac69943a8ee191da5f0d
tree	85eee11c59220deeb4139b913385e43e91be4ba2	tree \| snapshot
parent	798a2eb70eefe2bc882793f91ef5cb9bee41a31b	commit \| diff

net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers

In general, accessing userspace memory beyond the length of the supplied
buffer in VFS read/write handlers can lead to both kernel memory corruption
(via kernel_read()/kernel_write(), which can e.g. be triggered via
sys_splice()) and privilege escalation inside userspace.

In this case, the affected files are in debugfs (and should therefore only
be accessible to root) and check that *pos is zero (which prevents the
sys_splice() trick). Therefore, this is not a security fix, but rather a
small cleanup.

For the read handlers, fix it by using simple_read_from_buffer() instead of
custom logic.
For the write handler, add a check.

changed in v2:
- also fix dbg_write()

Fixes: 7c120481afcc ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>

drivers/net/ethernet/mellanox/mlx5/core/cmd.c		diff \| blob \| history
drivers/net/ethernet/mellanox/mlx5/core/debugfs.c		diff \| blob \| history