From: Ben Hutchings <bhutchings@solarflare.com>
To: Kees Cook <kees.cook@canonical.com>
Cc: linux-kernel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
Jeff Garzik <jgarzik@redhat.com>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>,
Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH] net: clear heap allocations for privileged ethtool actions
Date: Thu, 07 Oct 2010 22:34:44 +0100 [thread overview]
Message-ID: <1286487284.2271.37.camel@achroite.uk.solarflarecom.com> (raw)
In-Reply-To: <20101007211004.GA20267@outflux.net>
On Thu, 2010-10-07 at 14:10 -0700, Kees Cook wrote:
> Several other ethtool functions leave heap uncleared (potentially) by
> drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
> are well controlled. In some situations (e.g. unchecked error conditions),
> the heap will remain unchanged in areas before copying back to userspace.
> Note that these are less of an issue since these all require CAP_NET_ADMIN.
>
> Cc: stable@kernel.org
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
> ---
> net/core/ethtool.c | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index 7a85367..fb9cf30 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -397,7 +397,7 @@ static noinline_for_stack int ethtool_get_rxfh_indir(struct net_device *dev,
> (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index))
> return -ENOMEM;
> full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size;
> - indir = kmalloc(full_size, GFP_USER);
> + indir = kzalloc(full_size, GFP_USER);
> if (!indir)
> return -ENOMEM;
>
[...]
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
You could alternately recalculate full_size before copying back to the
user buffer:
full_size = sizeof(*indir) + sizeof(*indir->ring_index) * indir->size;
but kzalloc() is more obviously safe.
Ben.
--
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
next prev parent reply other threads:[~2010-10-07 21:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-07 21:10 [PATCH] net: clear heap allocations for privileged ethtool actions Kees Cook
2010-10-07 21:31 ` Eric Dumazet
2010-10-07 21:40 ` Ben Hutchings
2010-10-07 21:40 ` Kees Cook
2010-10-07 21:34 ` Ben Hutchings [this message]
2010-10-11 19:24 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1286487284.2271.37.camel@achroite.uk.solarflarecom.com \
--to=bhutchings@solarflare.com \
--cc=davem@davemloft.net \
--cc=jeffrey.t.kirsher@intel.com \
--cc=jgarzik@redhat.com \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peter.p.waskiewicz.jr@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.