Commit f13a6e5e authored by Michael J. Ruhl's avatar Michael J. Ruhl Committed by Doug Ledford
Browse files

IB/hfi1: Split copy_to_user data copy for better security 



A copy_to_user() call assumes that two members of a data structure
are sequential.  Since this may not always be true, separate the copies
to ensure a safe copy.

Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
parent 5e2d6764

drivers/infiniband/hw/hfi1/file_ops.c

+5 −3
Original line number Diff line number Diff line
@@ -268,12 +268,14 @@ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd, 
			/*

			 * Copy the number of tidlist entries we used

			 * and the length of the buffer we registered.

			 * These fields are adjacent in the structure so

			 * we can copy them at the same time.

			 */

			addr = arg + offsetof(struct hfi1_tid_info, tidcnt);

			if (copy_to_user((void __user *)addr, &tinfo.tidcnt,

					 sizeof(tinfo.tidcnt) +

					 sizeof(tinfo.tidcnt)))

				return -EFAULT;



			addr = arg + offsetof(struct hfi1_tid_info, length);

			if (copy_to_user((void __user *)addr, &tinfo.length,

					 sizeof(tinfo.length)))

				ret = -EFAULT;

		}