From: Jason Gunthorpe <jgg@ziepe.ca>
To: Jann Horn <jannh@google.com>
Cc: Leon Romanovsky <leon@kernel.org>,
Doug Ledford <dledford@redhat.com>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers
Date: Mon, 9 Jul 2018 13:18:14 -0600 [thread overview]
Message-ID: <20180709191814.GA26059@ziepe.ca> (raw)
In-Reply-To: <20180706204803.131152-1-jannh@google.com>
On Fri, Jul 06, 2018 at 10:48:03PM +0200, Jann Horn wrote:
> In general, accessing userspace memory beyond the length of the supplied
> buffer in VFS read/write handlers can lead to both kernel memory corruption
> (via kernel_read()/kernel_write(), which can e.g. be triggered via
> sys_splice()) and privilege escalation inside userspace.
>
> In this case, the affected files are in debugfs (and should therefore only
> be accessible to root), and the read handlers check that *pos is zero
> (meaning that at least sys_splice() can't trigger kernel memory
> corruption). Because of the root requirement, this is not a security fix,
> but rather a cleanup.
>
> For the read handlers, fix it by using simple_read_from_buffer() instead of
> custom logic. Add min() calls to the write handlers.
>
> changed in v2:
> - also fix write handlers
>
> Fixes: 4a2da0b8c078 ("IB/mlx5: Add debug control parameters for congestion control")
> Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
> Signed-off-by: Jann Horn <jannh@google.com>
> Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
> ---
> drivers/infiniband/hw/mlx5/cong.c | 9 +--------
> drivers/infiniband/hw/mlx5/mr.c | 32 ++++++++-----------------------
> 2 files changed, 9 insertions(+), 32 deletions(-)
Applied to for-next
Thanks,
Jason
prev parent reply other threads:[~2018-07-09 19:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-06 20:48 [PATCH v2] IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers Jann Horn
2018-07-08 6:56 ` Leon Romanovsky
2018-07-09 12:22 ` Jann Horn
2018-07-09 19:18 ` Jason Gunthorpe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180709191814.GA26059@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=dledford@redhat.com \
--cc=jannh@google.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).