Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp1335433imm;
        Sat, 7 Jul 2018 23:52:43 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfpeyx5LthWmFI73ZXNEkZ/0HxR0TPI0Vi56HVShwGEgKlZUmaOvKKBCF1fh5vgvyi53e9p
X-Received: by 2002:a63:a502:: with SMTP id n2-v6mr14916585pgf.263.1531032763722;
        Sat, 07 Jul 2018 23:52:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531032763; cv=none;
        d=google.com; s=arc-20160816;
        b=MKlcWgy9ROsfRBFWMnSjhcPe02dTouu0dhRBH4CICXRQyRB7qcnxWfP6bOTDMT0xbj
         jRRozgYoM3l1UGFULjidACig/mSzvASxUzhjaLys9jtPEL5kcLFEikNb2rbQSGd5ebvR
         +ypOKCmHf2nPmeJ7Cp2NBskxbk7piQu/y3oUPmnHDlsfR8dMX2T6WGOPOnotEUFeJFEL
         /uxLumnzp7WfEKDKqdQ37W8q9eTey8ApufJ3Nt02cUJbrt3pfXGuTvpOQ+LrI6aXOb/G
         qCxPQYJIJ9B3OA30tkN96rbKX3zVXoSlQrGQkq+xqgfFTpSZJxCtpYus6IOcw6283PfI
         zxvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=HD+Rwgmy99laYq4YZDdrT97WPgSuGeEBP8NU6mvEM4g=;
        b=n/7lZxDwOcxHrXrOHX1fHHR2w3p9wzCBmifRnELtn04IPBRanp945JGWkO51/S5p0X
         Ye+bqxX6/5vlo1nXkoJJH2X+NFVLPyAbVz+nWgP1nawAaptaba+Xp3mQeALPH8gv76rn
         Tqsh7UU0lJcPH47Ddw3hji/wnYsERhh4HsrZ2I6suYUBQT83vX3TW38lvFD205kEwMNX
         rlF3EI2NyBT4xdX8gTfCKJPm8iZlwnmpL+TlNAatJDc+kKaAMEcT5nfYqKRCoxt1Il0J
         bxSOfNfQUaGfd/9keau3D31ei6lpxW8QkQafMVrAQ+k3NDnXMoNImC/B1+DALHzjxUuY
         PoKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="sn4/uuAD";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x3-v6si11490129plo.185.2018.07.07.23.52.16;
        Sat, 07 Jul 2018 23:52:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="sn4/uuAD";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752807AbeGHGvS (ORCPT <rfc822;marvinzhang.kernel@gmail.com>
        + 99 others); Sun, 8 Jul 2018 02:51:18 -0400
Received: from mail.kernel.org ([198.145.29.99]:53090 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751648AbeGHGvR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 8 Jul 2018 02:51:17 -0400
Received: from localhost (unknown [193.47.165.251])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 376C4208A5;
        Sun,  8 Jul 2018 06:51:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1531032676;
        bh=x4R9AN+V8goZU8komNzAET/r9HBxr4Ywx5zKjMiTMDM=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=sn4/uuADnlFKkIDkQ60uH+LRE56vJRkNxpiiz1rtYu+M4giK+oCD/gJJj2M5NZOUK
         xt9ANXGhnb/m7O6o3L2aMIaGCXCp9Llrp2kD4Zx/VgEzuXHDd3oHe10L+kaF8c4tgL
         QITUOZK49LX5K+rPvlkqUq97X4T+sT57VaLCRkak=
Date:   Sun, 8 Jul 2018 09:51:13 +0300
From:   Leon Romanovsky <leon@kernel.org>
To:     Jann Horn <jannh@google.com>, Saeed Mahameed <saeedm@mellanox.com>
Cc:     "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
        linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v2] net/mlx5: fix uaccess beyond "count" in debugfs
 read/write handlers
Message-ID: <20180708065113.GJ3014@mtr-leonro.mtl.com>
References: <20180706201809.105152-1-jannh@google.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="Do9hQ/bfCb4zBpLo"
Content-Disposition: inline
In-Reply-To: <20180706201809.105152-1-jannh@google.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--Do9hQ/bfCb4zBpLo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Jul 06, 2018 at 10:18:09PM +0200, Jann Horn wrote:
> In general, accessing userspace memory beyond the length of the supplied
> buffer in VFS read/write handlers can lead to both kernel memory corruption
> (via kernel_read()/kernel_write(), which can e.g. be triggered via
> sys_splice()) and privilege escalation inside userspace.
>
> In this case, the affected files are in debugfs (and should therefore only
> be accessible to root) and check that *pos is zero (which prevents the
> sys_splice() trick). Therefore, this is not a security fix, but rather a
> small cleanup.
>
> For the read handlers, fix it by using simple_read_from_buffer() instead of
> custom logic.
> For the write handler, add a check.
>
> changed in v2:
>  - also fix dbg_write()
>

Thanks Jann,

Next time, please don't put changelog in commit message.

Saeed, are you taking it to mlx5-next? It is cleanup and better to be
sent to -next.

> Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 28 +++++--------------
>  .../net/ethernet/mellanox/mlx5/core/debugfs.c | 22 ++-------------
>  2 files changed, 9 insertions(+), 41 deletions(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c

Thanks,
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>

--Do9hQ/bfCb4zBpLo
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJbQbRhAAoJEORje4g2clinu1YP/AvI1s90yyjOwS/8ver6jaFc
7yPyBd1GBoUlRYWVf32siFaBwnPfPOS+pJtovsW66+Lxj0LqYniwPQ68GW8UkkGZ
tf9g8CvAm4mjAOgaJZiR3JB0kArvAeY2hRgyNu7iItp0AeL9WJH0RZONueBCCoqD
jTRW6oB1GsNnCfzbSnrt0ecQTVCidATIfmC5WsSImnkDgXBO4kLM7XZBbZvgmhIv
BoISxh8m7U7iGENTVpY9MdtrRTd7MbH+7eR6z0nGD6FeN/mjkAqjDGq1+Sr1bPBi
z/8Irbi6OXANufG8YNNoXeccoawAWYGpaZCc3VFpYYdrZgFuxnCdSAVXphDmf+6J
X+xeuhZpwjLbcXN6YwT5ZT4mPFDFdyB4o8sJFHrrPHPn0wxtILh0FP8c3H8mak+/
WinknsmOeJpw6pH1hAS3Tk7wRP+2SJ7M565o54G4wRmLxtUhaMG9a75VlzkCmgmP
hT60nwXZb8355FKZjQXZm+ELd2aHfOgIVcsNoA5Ly8h+Qhuch0AXP0eo3sv0qoGW
7Sstx8IbMM9FiMn6sT3I8/Rmcs7bfiXs1fHSC5wZC/cOUmBEhdcH+Oz97N8KDkKn
RdYWtOVnGlUc+DY/9WFtgEwN0m283iO4gAcsipa0vls9fRmP1rgMi0smieIrAsYD
A3GACI8rle0ItZ27XT/W
=mzoB
-----END PGP SIGNATURE-----

--Do9hQ/bfCb4zBpLo--