IB/hfi1: Split copy_to_user data copy for better security

A copy_to_user() call assumes that two members of a data structure
are sequential.  Since this may not always be true, separate the copies
to ensure a safe copy.

Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>

diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c
index 7be75e0..650c1e5 100644 (file)
--- a/drivers/infiniband/hw/hfi1/file_ops.c
+++ b/drivers/infiniband/hw/hfi1/file_ops.c
@@ -268,12 +268,14 @@ static long hfi1_file_ioctl(struct file *fp, unsigned int cmd,
                        /*
                         * Copy the number of tidlist entries we used
                         * and the length of the buffer we registered.
-                        * These fields are adjacent in the structure so
-                        * we can copy them at the same time.
                         */
                        addr = arg + offsetof(struct hfi1_tid_info, tidcnt);
                        if (copy_to_user((void __user *)addr, &tinfo.tidcnt,
-                                        sizeof(tinfo.tidcnt) +
+                                        sizeof(tinfo.tidcnt)))
+                               return -EFAULT;
+
+                       addr = arg + offsetof(struct hfi1_tid_info, length);
+                       if (copy_to_user((void __user *)addr, &tinfo.length,
                                         sizeof(tinfo.length)))
                                ret = -EFAULT;
                }