All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] IB/ocrdma: fix out of bounds access to local buffer
@ 2017-05-01  6:41 Michael Mera
       [not found] ` <20170501064116.3900-1-dev-5Y08+B5RRAgbhb6IIWwbbQ@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Mera @ 2017-05-01  6:41 UTC (permalink / raw)
  To: Selvin Xavier
  Cc: Michael Mera, Devesh Sharma, Doug Ledford, Sean Hefty,
	Hal Rosenstock, linux-rdma-u79uwXL29TY76Z2rM5mHXA

In write to debugfs file 'resource_stats' the local buffer 'tmp_str' is
written at index 'count-1' where 'count' is the size of the write, so
potentially 0.

This patch filters odd values for the write size/position to avoid this
type of problem.

Signed-off-by: Michael Mera <dev-5Y08+B5RRAgbhb6IIWwbbQ@public.gmane.org>
---
 drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
index f8e4b0a6486f..66056f9a9700 100644
--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
@@ -643,7 +643,7 @@ static ssize_t ocrdma_dbgfs_ops_write(struct file *filp,
 	struct ocrdma_stats *pstats = filp->private_data;
 	struct ocrdma_dev *dev = pstats->dev;
 
-	if (count > 32)
+	if (*ppos != 0 || count == 0 || count > sizeof(tmp_str))
 		goto err;
 
 	if (copy_from_user(tmp_str, buffer, count))
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] IB/ocrdma: fix out of bounds access to local buffer
       [not found] ` <20170501064116.3900-1-dev-5Y08+B5RRAgbhb6IIWwbbQ@public.gmane.org>
@ 2017-05-01  8:57   ` Leon Romanovsky
       [not found]     ` <20170501085736.GW14088-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Leon Romanovsky @ 2017-05-01  8:57 UTC (permalink / raw)
  To: Michael Mera
  Cc: Selvin Xavier, Devesh Sharma, Doug Ledford, Sean Hefty,
	Hal Rosenstock, linux-rdma-u79uwXL29TY76Z2rM5mHXA

[-- Attachment #1: Type: text/plain, Size: 596 bytes --]

On Mon, May 01, 2017 at 03:41:16PM +0900, Michael Mera wrote:
> In write to debugfs file 'resource_stats' the local buffer 'tmp_str' is
> written at index 'count-1' where 'count' is the size of the write, so
> potentially 0.
>
> This patch filters odd values for the write size/position to avoid this
> type of problem.
>
> Signed-off-by: Michael Mera <dev-5Y08+B5RRAgbhb6IIWwbbQ@public.gmane.org>
> ---
>  drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>

Thanks,
Reviewed-by: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] IB/ocrdma: fix out of bounds access to local buffer
       [not found]     ` <20170501085736.GW14088-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
@ 2017-05-01 20:57       ` Doug Ledford
  0 siblings, 0 replies; 3+ messages in thread
From: Doug Ledford @ 2017-05-01 20:57 UTC (permalink / raw)
  To: Leon Romanovsky, Michael Mera
  Cc: Selvin Xavier, Devesh Sharma, Sean Hefty, Hal Rosenstock,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA

On Mon, 2017-05-01 at 11:57 +0300, Leon Romanovsky wrote:
> On Mon, May 01, 2017 at 03:41:16PM +0900, Michael Mera wrote:
> > 
> > In write to debugfs file 'resource_stats' the local buffer
> > 'tmp_str' is
> > written at index 'count-1' where 'count' is the size of the write,
> > so
> > potentially 0.
> > 
> > This patch filters odd values for the write size/position to avoid
> > this
> > type of problem.
> > 
> > Signed-off-by: Michael Mera <dev-5Y08+B5RRAgbhb6IIWwbbQ@public.gmane.org>
> > ---
> >  drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> 
> Thanks,
> Reviewed-by: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Thanks, applied.

-- 
Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
    GPG KeyID: B826A3330E572FDD
   
Key fingerprint = AE6B 1BDA 122B 23B4 265B  1274 B826 A333 0E57 2FDD

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-05-01 20:57 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-01  6:41 [PATCH] IB/ocrdma: fix out of bounds access to local buffer Michael Mera
     [not found] ` <20170501064116.3900-1-dev-5Y08+B5RRAgbhb6IIWwbbQ@public.gmane.org>
2017-05-01  8:57   ` Leon Romanovsky
     [not found]     ` <20170501085736.GW14088-U/DQcQFIOTAAJjI8aNfphQ@public.gmane.org>
2017-05-01 20:57       ` Doug Ledford

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.