• Jann Horn's avatar
    IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers · 60e6627f
    Jann Horn authored
    In general, accessing userspace memory beyond the length of the supplied
    buffer in VFS read/write handlers can lead to both kernel memory corruption
    (via kernel_read()/kernel_write(), which can e.g. be triggered via
    sys_splice()) and privilege escalation inside userspace.
    
    In this case, the affected files are in debugfs (and should therefore only
    be accessible to root), and the read handlers check that *pos is zero
    (meaning that at least sys_splice() can't trigger kernel memory
    corruption). Because of the root requirement, this is not a security fix,
    but rather a cleanup.
    
    For the read handlers, fix it by using simple_read_from_buffer() instead
    of custom logic. Add min() calls to the write handlers.
    
    Fixes: 4a2da0b8 ("IB/mlx5: Add debug control parameters for congestion control")
    Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Reviewed-by: default avatarLeon Romanovsky <leonro@mellanox.com>
    Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    60e6627f
cong.c 12.9 KB