[PATCH for-next 13/13] IB/hfi1: Split copy_to_user data copy for better security

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dennis Dalessandro <dennis.dalessandro-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
To: dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	"Michael J. Ruhl"
	<michael.j.ruhl-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Subject: [PATCH for-next 13/13] IB/hfi1: Split copy_to_user data copy for better security
Date: Mon, 24 Jul 2017 07:46:42 -0700	[thread overview]
Message-ID: <20170724144641.10034.83618.stgit@scvm10.sc.intel.com> (raw)
In-Reply-To: <20170724144415.10034.26787.stgit-9QXIwq+3FY+1XWohqUldA0EOCMrvLtNR@public.gmane.org>

From: Michael J. Ruhl <michael.j.ruhl-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>

A copy_to_user() call assumes that two members of a data structure
are sequential.  Since this may not always be true, separate the copies
to ensure a safe copy.

Reviewed-by: Dennis Dalessandro <dennis.dalessandro-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
---
 drivers/infiniband/hw/hfi1/file_ops.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c
index 7be75e0..650c1e5 100644
--- a/drivers/infiniband/hw/hfi1/file_ops.c
+++ b/drivers/infiniband/hw/hfi1/file_ops.c
@@ -268,12 +268,14 @@ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd,
 			/*
 			 * Copy the number of tidlist entries we used
 			 * and the length of the buffer we registered.
-			 * These fields are adjacent in the structure so
-			 * we can copy them at the same time.
 			 */
 			addr = arg + offsetof(struct hfi1_tid_info, tidcnt);
 			if (copy_to_user((void __user *)addr, &tinfo.tidcnt,
-					 sizeof(tinfo.tidcnt) +
+					 sizeof(tinfo.tidcnt)))
+				return -EFAULT;
+
+			addr = arg + offsetof(struct hfi1_tid_info, length);
+			if (copy_to_user((void __user *)addr, &tinfo.length,
 					 sizeof(tinfo.length)))
 				ret = -EFAULT;
 		}

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2017-07-24 14:46 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-24 14:45 [PATCH for-next 00/13] IB/hfi1: patches for next 07/24/2017 Dennis Dalessandro
     [not found] ` <20170724144415.10034.26787.stgit-9QXIwq+3FY+1XWohqUldA0EOCMrvLtNR@public.gmane.org>
2017-07-24 14:45   ` [PATCH for-next 01/13] IB/hfi1: Fix bar0 mapping to use write combining Dennis Dalessandro
2017-07-24 14:45   ` [PATCH for-next 02/13] IB/hfi1: Serve the most starved iowait entry first Dennis Dalessandro
2017-07-24 14:45   ` [PATCH for-next 03/13] IB/hfi1: Assign context does not clean up file descriptor correctly on error Dennis Dalessandro
2017-07-24 14:45   ` [PATCH for-next 04/13] IB/hfi1: Remove unused user context data members Dennis Dalessandro
2017-07-24 14:45   ` [PATCH for-next 05/13] IB/hfi1: Size rcd array index correctly and consistently Dennis Dalessandro
2017-07-24 14:46   ` [PATCH for-next 06/13] IB/hfi1: Use context pointer rather than context index Dennis Dalessandro
2017-07-24 14:46   ` [PATCH for-next 07/13] IB/hfi1: Pass the context pointer rather than the index Dennis Dalessandro
2017-07-24 14:46   ` [PATCH for-next 08/13] IB/hfi1: Send MAD traps until repressed Dennis Dalessandro
2017-07-24 14:46   ` [PATCH for-next 09/13] IB/hfi1: Fix code consistency for if/else blocks in chip.c Dennis Dalessandro
2017-07-24 14:46   ` [PATCH for-next 10/13] IB/hfi1: Fix initialization failure for debug firmware Dennis Dalessandro
2017-07-24 14:46   ` [PATCH for-next 11/13] IB/hfi1: Move saving PCI values to a separate function Dennis Dalessandro
2017-07-24 14:46   ` [PATCH for-next 12/13] IB/hfi1: Verify port data VLs credits on transition to Armed Dennis Dalessandro
2017-07-24 14:46   ` Dennis Dalessandro [this message]
2017-07-31 19:20   ` [PATCH for-next 00/13] IB/hfi1: patches for next 07/24/2017 Doug Ledford

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7be75e0 dfblob:650c1e5 )
 OR (
bs:"[PATCH for-next 13/13] IB/hfi1: Split copy_to_user data copy for better security" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170724144641.10034.83618.stgit@scvm10.sc.intel.com \
    --to=dennis.dalessandro-ral2jqcrhueavxtiumwx3w@public.gmane.org \
    --cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=michael.j.ruhl-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.