net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Jann Horn <jannh@google.com>	2018-07-06 23:18:09 +0300
committer	Saeed Mahameed <saeedm@mellanox.com>	2018-07-11 22:08:57 +0300
commit	31e33a5b41bb158f27c30e13b12d6e5e6513ea05 (patch)
tree	85eee11c59220deeb4139b913385e43e91be4ba2 /scripts/gdb/linux/lists.py
parent	b183ee27f5fb07c8428e2fe45d5f35dac611c45d (diff)
download	linux-31e33a5b41bb158f27c30e13b12d6e5e6513ea05.tar.xz

net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers

In general, accessing userspace memory beyond the length of the supplied buffer in VFS read/write handlers can lead to both kernel memory corruption (via kernel_read()/kernel_write(), which can e.g. be triggered via sys_splice()) and privilege escalation inside userspace. In this case, the affected files are in debugfs (and should therefore only be accessible to root) and check that *pos is zero (which prevents the sys_splice() trick). Therefore, this is not a security fix, but rather a small cleanup. For the read handlers, fix it by using simple_read_from_buffer() instead of custom logic. For the write handler, add a check. changed in v2: - also fix dbg_write() Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Jann Horn <jannh@google.com> Reviewed-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>

Diffstat (limited to 'scripts/gdb/linux/lists.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: