On Fri, 2018-07-06 at 22:18 +0200, Jann Horn wrote:
> In general, accessing userspace memory beyond the length of the
> supplied
> buffer in VFS read/write handlers can lead to both kernel memory
> corruption
> (via kernel_read()/kernel_write(), which can e.g. be triggered via
> sys_splice()) and privilege escalation inside userspace.
>
> In this case, the affected files are in debugfs (and should therefore
> only
> be accessible to root) and check that *pos is zero (which prevents
> the
> sys_splice() trick). Therefore, this is not a security fix, but
> rather a
> small cleanup.
>
> For the read handlers, fix it by using simple_read_from_buffer()
> instead of
> custom logic.
> For the write handler, add a check.
>
> changed in v2:
> - also fix dbg_write()
>
> Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB
> adapters")
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
>
Applied to mlx5-next, Thanks!!
��.n��������+%�������w��{.n�����{���fk��ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f
