Just like vfs_read(), uverbs_write() must check output buffer (eg. response) with access_ok(VERIFY_WRITE,...) to ensure it's in userspace memory before using the pointer in uverbs functions.
If the buffer or a subset of the buffer is not valid, returns -EFAULT. Note: there's no need to check input buffer (eg. command) since vfs_write() does the check access_ok(VERIFY_READ, ...) as part of write() syscall. Link: http://marc.info/[email protected]> Signed-off-by: Yann Droneaud <[email protected]> --- drivers/infiniband/core/uverbs_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c index 8652c13f6ea2..0be1dd86f768 100644 --- a/drivers/infiniband/core/uverbs_main.c +++ b/drivers/infiniband/core/uverbs_main.c @@ -677,6 +677,11 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf, if (response) { if (!hdr.out_words && !ex_hdr.provider_out_words) return -EINVAL; + + if (!access_ok(VERIFY_WRITE, + response, + (hdr.out_words + ex_hdr.provider_out_words) * 8)) + return -EFAULT; } else { if (hdr.out_words || ex_hdr.provider_out_words) return -EINVAL; -- 1.8.4.2 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
