On Fri, Jul 06, 2018 at 10:18:09PM +0200, Jann Horn wrote: > In general, accessing userspace memory beyond the length of the supplied > buffer in VFS read/write handlers can lead to both kernel memory corruption > (via kernel_read()/kernel_write(), which can e.g. be triggered via > sys_splice()) and privilege escalation inside userspace. > > In this case, the affected files are in debugfs (and should therefore only > be accessible to root) and check that *pos is zero (which prevents the > sys_splice() trick). Therefore, this is not a security fix, but rather a > small cleanup. > > For the read handlers, fix it by using simple_read_from_buffer() instead of > custom logic. > For the write handler, add a check. > > changed in v2: > - also fix dbg_write() > Thanks Jann, Next time, please don't put changelog in commit message. Saeed, are you taking it to mlx5-next? It is cleanup and better to be sent to -next. > Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") > Signed-off-by: Jann Horn <jannh@xxxxxxxxxx> > --- > drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 28 +++++-------------- > .../net/ethernet/mellanox/mlx5/core/debugfs.c | 22 ++------------- > 2 files changed, 9 insertions(+), 41 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c Thanks, Reviewed-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
Attachment:
signature.asc
Description: PGP signature