Commit f13a6e5e authored by Michael J. Ruhl's avatar Michael J. Ruhl Committed by Doug Ledford

IB/hfi1: Split copy_to_user data copy for better security

A copy_to_user() call assumes that two members of a data structure
are sequential.  Since this may not always be true, separate the copies
to ensure a safe copy.
Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
parent 5e2d6764
...@@ -268,12 +268,14 @@ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd, ...@@ -268,12 +268,14 @@ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd,
/* /*
* Copy the number of tidlist entries we used * Copy the number of tidlist entries we used
* and the length of the buffer we registered. * and the length of the buffer we registered.
* These fields are adjacent in the structure so
* we can copy them at the same time.
*/ */
addr = arg + offsetof(struct hfi1_tid_info, tidcnt); addr = arg + offsetof(struct hfi1_tid_info, tidcnt);
if (copy_to_user((void __user *)addr, &tinfo.tidcnt, if (copy_to_user((void __user *)addr, &tinfo.tidcnt,
sizeof(tinfo.tidcnt) + sizeof(tinfo.tidcnt)))
return -EFAULT;
addr = arg + offsetof(struct hfi1_tid_info, length);
if (copy_to_user((void __user *)addr, &tinfo.length,
sizeof(tinfo.length))) sizeof(tinfo.length)))
ret = -EFAULT; ret = -EFAULT;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment