git.baikalelectronics.ru Git - kernel.git/commit

author	Yann Droneaud <ydroneaud@opteya.com>
	Wed, 11 Dec 2013 22:01:51 +0000 (23:01 +0100)
committer	Roland Dreier <roland@purestorage.com>
	Fri, 20 Dec 2013 18:54:34 +0000 (10:54 -0800)
commit	c29443481a964d20a0b7bccff1e2922937cba3d5
tree	33aa9a3996fccec1c4c1e43c21a569d89d81348f	tree \| snapshot
parent	bd6d6b48e8200af18cfb8cb8e77d840a7b9c1085	commit \| diff

IB/uverbs: Check access to userspace response buffer in extended command

This patch adds a check on the output buffer with access_ok(VERIFY_WRITE, ...)
to ensure the whole buffer is in userspace memory before using the
pointer in uverbs functions.  If the buffer or a subset of it is not
valid, returns -EFAULT to the caller.

This will also catch invalid buffer before the final call to
copy_to_user() which happen late in most uverb functions.

Just like the check in read(2) syscall, it's a sanity check to detect
invalid parameters provided by userspace. This particular check was added
in vfs_read() by Linus Torvalds for v2.6.12 with following commit message:

https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/?id=fd770e66c9a65b14ce114e171266cf6f393df502

  Make read/write always do the full "access_ok()" tests.

  The actual user copy will do them too, but only for the
  range that ends up being actually copied. That hides
  bugs when the range has been clamped by file size or other
  issues.

Note: there's no need to check input buffer since vfs_write() already does
access_ok(VERIFY_READ, ...) as part of write() syscall.

Link: http://marc.info/?i=cover.1387273677.git.ydroneaud@opteya.com
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>