TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

IB/hfi1: Split copy_to_user data copy for better security

Browse Source 
A copy_to_user() call assumes that two members of a data structure
are sequential.  Since this may not always be true, separate the copies
to ensure a safe copy.

Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
This commit is contained in:
Michael J. Ruhl
2017-07-24 07:46:42 -07:00
committed by Doug Ledford
parent 5e2d6764a7
commit f13a6e5e2e
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
drivers/infiniband/hw/hfi1/file_ops.c
+5 -3
View File
@@ -268,12 +268,14 @@ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd,
/* /*
* Copy the number of tidlist entries we used * Copy the number of tidlist entries we used
* and the length of the buffer we registered. * and the length of the buffer we registered.
* These fields are adjacent in the structure so
* we can copy them at the same time.
*/ */
addr = arg + offsetof(struct hfi1_tid_info, tidcnt); addr = arg + offsetof(struct hfi1_tid_info, tidcnt);
if (copy_to_user((void __user *)addr, &tinfo.tidcnt, if (copy_to_user((void __user *)addr, &tinfo.tidcnt,
sizeof(tinfo.tidcnt) + sizeof(tinfo.tidcnt)))
return -EFAULT;
addr = arg + offsetof(struct hfi1_tid_info, length);
if (copy_to_user((void __user *)addr, &tinfo.length,
sizeof(tinfo.length))) sizeof(tinfo.length)))
ret = -EFAULT; ret = -EFAULT;
} }