Re: [PATCH net v2] net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers

From: Saeed Mahameed
Date: Wed Jul 11 2018 - 15:10:46 EST

Next message: Rob Herring: "Re: [PATCH v2 1/4] dt-bindings: add binding for Allwinner R40 SATA AHCI controller"
Previous message: Jakub Kicinski: "Re: [PATCH bpf-next v4 2/3] bpf: btf: add btf print functionality"
In reply to: Leon Romanovsky: "Re: [PATCH net v2] net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2018-07-06 at 22:18 +0200, Jann Horn wrote:
> In general, accessing userspace memory beyond the length of the
> supplied
> buffer in VFS read/write handlers can lead to both kernel memory
> corruption
> (via kernel_read()/kernel_write(), which can e.g. be triggered via
> sys_splice()) and privilege escalation inside userspace.
>
> In this case, the affected files are in debugfs (and should therefore
> only
> be accessible to root) and check that *pos is zero (which prevents
> the
> sys_splice() trick). Therefore, this is not a security fix, but
> rather a
> small cleanup.
>
> For the read handlers, fix it by using simple_read_from_buffer()
> instead of
> custom logic.
> For the write handler, add a check.
>
> changed in v2:
> - also fix dbg_write()
>
> Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB
> adapters")
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
>

Applied to mlx5-next, Thanks!!

Next message: Rob Herring: "Re: [PATCH v2 1/4] dt-bindings: add binding for Allwinner R40 SATA AHCI controller"
Previous message: Jakub Kicinski: "Re: [PATCH bpf-next v4 2/3] bpf: btf: add btf print functionality"
In reply to: Leon Romanovsky: "Re: [PATCH net v2] net/mlx5: fix uaccess beyond "count" in debugfs read/write handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]