linux_dsm_epyc7002/drivers/infiniband/hw/mlx5
Jann Horn 60e6627f12 IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers
In general, accessing userspace memory beyond the length of the supplied
buffer in VFS read/write handlers can lead to both kernel memory corruption
(via kernel_read()/kernel_write(), which can e.g. be triggered via
sys_splice()) and privilege escalation inside userspace.

In this case, the affected files are in debugfs (and should therefore only
be accessible to root), and the read handlers check that *pos is zero
(meaning that at least sys_splice() can't trigger kernel memory
corruption). Because of the root requirement, this is not a security fix,
but rather a cleanup.

For the read handlers, fix it by using simple_read_from_buffer() instead
of custom logic. Add min() calls to the write handlers.

Fixes: 4a2da0b8c0 ("IB/mlx5: Add debug control parameters for congestion control")
Fixes: e126ba97db ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
2018-07-09 13:15:12 -06:00
..
ah.c RDMA: Convert drivers to use sgid_attr instead of sgid_index 2018-06-18 11:11:26 -06:00
cmd.c Merge branch 'mlx5-dump-fill-mkey' into rdma.git for-next 2018-07-04 13:23:46 -06:00
cmd.h Merge branch 'mlx5-dump-fill-mkey' into rdma.git for-next 2018-07-04 13:23:46 -06:00
cong.c IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers 2018-07-09 13:15:12 -06:00
cq.c Merge branch 'mini_cqe' into git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma for-next 2018-05-29 15:23:18 -06:00
devx.c RDMA/uverbs: Use UVERBS_ATTR_MIN_SIZE correctly and uniformly 2018-07-04 13:47:01 -06:00
doorbell.c
gsi.c
ib_rep.c RDMA/mlx5: Update SPDX tags to show proper license 2018-06-05 14:04:20 -06:00
ib_rep.h RDMA/mlx5: Update SPDX tags to show proper license 2018-06-05 14:04:20 -06:00
ib_virt.c
Kconfig infiniband: mlx5: fix build errors when INFINIBAND_USER_ACCESS=m 2018-04-17 19:26:43 -06:00
mad.c IB/mlx5: Route MADs for dual port RoCE 2018-01-08 11:42:23 -07:00
main.c RDMA/uverbs: Remove UA_FLAGS 2018-07-04 13:47:01 -06:00
Makefile IB/mlx5: Introduce DEVX 2018-06-19 10:53:02 -06:00
mem.c
mlx5_ib.h IB/mlx5: Add support for drain SQ & RQ 2018-06-25 14:32:36 -06:00
mr.c IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers 2018-07-09 13:15:12 -06:00
odp.c
qp.c IB/mlx5: Add support for drain SQ & RQ 2018-06-25 14:32:36 -06:00
srq.c treewide: kvzalloc() -> kvcalloc() 2018-06-12 16:19:22 -07:00