| From 062d0f22a30c39840ea49b72cfcfc1aa4cc538fa Mon Sep 17 00:00:00 2001 |
| From: Michael Mera <dev@michaelmera.com> |
| Date: Mon, 1 May 2017 15:41:16 +0900 |
| Subject: IB/ocrdma: fix out of bounds access to local buffer |
| |
| From: Michael Mera <dev@michaelmera.com> |
| |
| commit 062d0f22a30c39840ea49b72cfcfc1aa4cc538fa upstream. |
| |
| In write to debugfs file 'resource_stats' the local buffer 'tmp_str' is |
| written at index 'count-1' where 'count' is the size of the write, so |
| potentially 0. |
| |
| This patch filters odd values for the write size/position to avoid this |
| type of problem. |
| |
| Signed-off-by: Michael Mera <dev@michaelmera.com> |
| Reviewed-by: Leon Romanovsky <leonro@mellanox.com> |
| Signed-off-by: Doug Ledford <dledford@redhat.com> |
| Signed-off-by: Amit Pundir <amit.pundir@linaro.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c |
| +++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c |
| @@ -645,7 +645,7 @@ static ssize_t ocrdma_dbgfs_ops_write(st |
| struct ocrdma_stats *pstats = filp->private_data; |
| struct ocrdma_dev *dev = pstats->dev; |
| |
| - if (count > 32) |
| + if (*ppos != 0 || count == 0 || count > sizeof(tmp_str)) |
| goto err; |
| |
| if (copy_from_user(tmp_str, buffer, count)) |