From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Ben Hutchings <bhutchings@solarflare.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [107/140] ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
Date: Fri, 30 Jul 2010 10:31:12 -0700 [thread overview]
Message-ID: <20100730173112.395986296@clark.site> (raw)
In-Reply-To: <20100730173205.GA22581@kroah.com>
2.6.33-stable review patch. If anyone has any objections, please let us know.
------------------
commit bf988435bd5b53529f4408a8efb1f433f6ddfda9 upstream.
struct ethtool_rxnfc was originally defined in 2.6.27 for the
ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data
fields. It was then extended in 2.6.30 to support various additional
commands. These commands should have been defined to use a new
structure, but it is too late to change that now.
Since user-space may still be using the old structure definition
for the ETHTOOL_{G,S}RXFH commands, and since they do not need the
additional fields, only copy the originally defined fields to and
from user-space.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/linux/ethtool.h | 2 ++
net/core/ethtool.c | 38 +++++++++++++++++++++++++++++---------
2 files changed, 31 insertions(+), 9 deletions(-)
--- a/include/linux/ethtool.h
+++ b/include/linux/ethtool.h
@@ -358,6 +358,8 @@ struct ethtool_rxnfc {
__u32 flow_type;
/* The rx flow hash value or the rule DB size */
__u64 data;
+ /* The following fields are not valid and must not be used for
+ * the ETHTOOL_{G,X}RXFH commands. */
struct ethtool_rx_flow_spec fs;
__u32 rule_cnt;
__u32 rule_locs[0];
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -209,22 +209,34 @@ static int ethtool_get_drvinfo(struct ne
return 0;
}
-static int ethtool_set_rxnfc(struct net_device *dev, void __user *useraddr)
+static int ethtool_set_rxnfc(struct net_device *dev,
+ u32 cmd, void __user *useraddr)
{
- struct ethtool_rxnfc cmd;
+ struct ethtool_rxnfc info;
+ size_t info_size = sizeof(info);
if (!dev->ethtool_ops->set_rxnfc)
return -EOPNOTSUPP;
- if (copy_from_user(&cmd, useraddr, sizeof(cmd)))
+ /* struct ethtool_rxnfc was originally defined for
+ * ETHTOOL_{G,S}RXFH with only the cmd, flow_type and data
+ * members. User-space might still be using that
+ * definition. */
+ if (cmd == ETHTOOL_SRXFH)
+ info_size = (offsetof(struct ethtool_rxnfc, data) +
+ sizeof(info.data));
+
+ if (copy_from_user(&info, useraddr, info_size))
return -EFAULT;
- return dev->ethtool_ops->set_rxnfc(dev, &cmd);
+ return dev->ethtool_ops->set_rxnfc(dev, &info);
}
-static int ethtool_get_rxnfc(struct net_device *dev, void __user *useraddr)
+static int ethtool_get_rxnfc(struct net_device *dev,
+ u32 cmd, void __user *useraddr)
{
struct ethtool_rxnfc info;
+ size_t info_size = sizeof(info);
const struct ethtool_ops *ops = dev->ethtool_ops;
int ret;
void *rule_buf = NULL;
@@ -232,7 +244,15 @@ static int ethtool_get_rxnfc(struct net_
if (!ops->get_rxnfc)
return -EOPNOTSUPP;
- if (copy_from_user(&info, useraddr, sizeof(info)))
+ /* struct ethtool_rxnfc was originally defined for
+ * ETHTOOL_{G,S}RXFH with only the cmd, flow_type and data
+ * members. User-space might still be using that
+ * definition. */
+ if (cmd == ETHTOOL_GRXFH)
+ info_size = (offsetof(struct ethtool_rxnfc, data) +
+ sizeof(info.data));
+
+ if (copy_from_user(&info, useraddr, info_size))
return -EFAULT;
if (info.cmd == ETHTOOL_GRXCLSRLALL) {
@@ -250,7 +270,7 @@ static int ethtool_get_rxnfc(struct net_
goto err_out;
ret = -EFAULT;
- if (copy_to_user(useraddr, &info, sizeof(info)))
+ if (copy_to_user(useraddr, &info, info_size))
goto err_out;
if (rule_buf) {
@@ -1095,12 +1115,12 @@ int dev_ethtool(struct net *net, struct
case ETHTOOL_GRXCLSRLCNT:
case ETHTOOL_GRXCLSRULE:
case ETHTOOL_GRXCLSRLALL:
- rc = ethtool_get_rxnfc(dev, useraddr);
+ rc = ethtool_get_rxnfc(dev, ethcmd, useraddr);
break;
case ETHTOOL_SRXFH:
case ETHTOOL_SRXCLSRLDEL:
case ETHTOOL_SRXCLSRLINS:
- rc = ethtool_set_rxnfc(dev, useraddr);
+ rc = ethtool_set_rxnfc(dev, ethcmd, useraddr);
break;
case ETHTOOL_GGRO:
rc = ethtool_get_gro(dev, useraddr);
next prev parent reply other threads:[~2010-07-30 17:46 UTC|newest]
Thread overview: 147+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-30 17:32 [000/140] 2.6.33.7-rc1 stable review Greg KH
2010-07-30 17:29 ` [001/140] bridge: fdb cleanup runs too often Greg KH
2010-07-30 17:29 ` [002/140] net/dccp: expansion of error code size Greg KH
2010-07-30 17:29 ` [003/140] gro: Fix bogus gso_size on the first fraglist entry Greg KH
2010-07-30 17:29 ` [004/140] ipv6: Fix default multicast hops setting Greg KH
2010-07-30 17:29 ` [005/140] net: Fix FDDI and TR config checks in ipv4 arp and LLC Greg KH
2010-07-30 17:29 ` [006/140] pegasus: fix USB device ID for ETX-US2 Greg KH
2010-07-30 17:29 ` [007/140] r8169: fix random mdio_write failures Greg KH
2010-07-30 17:29 ` [008/140] r8169: fix mdio_read and update mdio_write according to hw specs Greg KH
2010-07-30 17:29 ` [009/140] tcp: tcp_synack_options() fix Greg KH
2010-07-30 17:29 ` [010/140] tcp: use correct net ns in cookie_v4_check() Greg KH
2010-07-30 17:29 ` [011/140] veth: Dont kfree_skb() after dev_forward_skb() Greg KH
2010-07-30 17:29 ` [012/140] ssb: Handle Netbook devices where the SPROM address is changed Greg KH
2010-07-30 17:29 ` [013/140] hwmon: (k8temp) Bypass core swapping on single-core processors Greg KH
2010-07-30 17:29 ` [014/140] hwmon: (k8temp) Fix temperature reporting for ASB1 processor revisions Greg KH
2010-07-30 17:29 ` [015/140] hwmon: (k10temp) Do not blacklist known working CPU models Greg KH
2010-07-30 17:29 ` [016/140] hwmon: (coretemp) Properly label the sensors Greg KH
2010-07-30 17:29 ` [017/140] hwmon: (coretemp) Skip duplicate CPU entries Greg KH
2010-07-30 17:29 ` [018/140] hwmon: (it87) Fix in7 on IT8720F Greg KH
2010-07-30 17:29 ` [019/140] cifs: remove bogus first_time check in NTLMv2 session setup code Greg KH
2010-07-30 17:29 ` [020/140] cifs: dont attempt busy-file rename unless its in same directory Greg KH
2010-07-30 17:29 ` [021/140] CIFS: Fix a malicious redirect problem in the DNS lookup code Greg KH
2010-07-30 17:29 ` [022/140] ALSA: hda - Add Macbook 5,2 quirk Greg KH
2010-07-30 17:29 ` [023/140] cpmac: do not leak struct net_device on phy_connect errors Greg KH
2010-07-30 17:29 ` [024/140] sky2: enable rx/tx in sky2_phy_reinit() Greg KH
2010-07-30 17:29 ` [025/140] net: fix problem in reading sock TX queue Greg KH
2010-07-30 17:29 ` [026/140] tcp: fix crash in tcp_xmit_retransmit_queue Greg KH
2010-07-30 17:29 ` [027/140] net/core: neighbour update Oops Greg KH
2010-07-30 17:29 ` [028/140] sparc: Fix use of uid16_t and gid16_t in asm/stat.h Greg KH
2010-07-30 17:29 ` [029/140] math-emu: correct test for downshifting fraction in _FP_FROM_INT() Greg KH
2010-07-30 17:29 ` [030/140] cmd640: fix kernel oops in test_irq() method Greg KH
2010-07-30 17:29 ` [031/140] ide: Fix IDE taskfile with cfq scheduler Greg KH
2010-07-30 17:29 ` [032/140] NFSv4: Fix an embarassing typo in encode_attrs() Greg KH
2010-07-30 17:29 ` [033/140] NFSv4: Ensure that /proc/self/mountinfo displays the minor version number Greg KH
2010-07-30 17:29 ` [034/140] SUNRPC: Fix a re-entrancy bug in xs_tcp_read_calldir() Greg KH
2010-07-30 17:30 ` [035/140] ath5k: drop warning on jumbo frames Greg KH
2010-07-30 17:30 ` [036/140] ath9k: Avoid corrupt frames being forwarded to mac80211 Greg KH
2010-07-30 17:30 ` [037/140] hostap: Protect against initialization interrupt Greg KH
2010-07-30 17:30 ` [038/140] TPM: ReadPubEK output struct fix Greg KH
2010-07-30 17:30 ` [039/140] fb: fix colliding defines for fb flags Greg KH
2010-07-30 17:30 ` [040/140] iwlwifi: cancel scan watchdog in iwl_bg_abort_scan Greg KH
2010-07-30 17:30 ` [041/140] mac80211: do not wip out old supported rates Greg KH
2010-07-30 17:30 ` [042/140] mac80211: Handle mesh action frames in ieee80211_rx_h_action Greg KH
2010-07-30 17:30 ` [043/140] Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE Greg KH
2010-07-30 17:30 ` [044/140] p54pci: add Symbol AP-300 minipci adapters pciid Greg KH
2010-07-30 17:30 ` [045/140] dynamic debug: move ddebug_remove_module() down into free_module() Greg KH
2010-07-30 17:30 ` [046/140] drm/i915: fix hibernation since i915 self-reclaim fixes Greg KH
2010-07-30 17:30 ` [047/140] drm/i915: add reclaimable to i915 self-reclaimable page allocations Greg KH
2010-07-30 17:30 ` [048/140] i915: fix lock imbalance on error path Greg KH
2010-07-30 17:30 ` [049/140] drm/i915: Define MI_ARB_STATE bits Greg KH
2010-07-30 17:30 ` [050/140] drm/i915: enable low power render writes on GEN3 hardware Greg KH
2010-07-30 17:30 ` [051/140] drm/i915: Make G4X-style PLL search more permissive Greg KH
2010-07-30 17:30 ` [052/140] drm/radeon/r200: handle more hw tex coord types Greg KH
2010-07-30 17:30 ` [053/140] drm/radeon/r100/r200: fix calculation of compressed cube maps Greg KH
2010-07-30 17:30 ` [054/140] drm/radeon/kms: CS checker texture fixes for r1xx/r2xx/r3xx Greg KH
2010-07-30 17:30 ` [055/140] drm/radeon/kms: fix shared ddc handling Greg KH
2010-07-30 17:30 ` [056/140] drm/radeon/kms: fix shared ddc harder Greg KH
2010-07-30 17:30 ` [057/140] drm/radeon/kms: add quirk for ASUS HD 3600 board Greg KH
2010-07-30 17:30 ` [058/140] drm/radeon/kms: fix possible mis-detection of sideport on rs690/rs740 Greg KH
2010-07-30 17:30 ` [059/140] drm/radeon/kms: fix legacy LVDS dpms sequence Greg KH
2010-07-30 17:30 ` [060/140] drm/radeon/kms: fix legacy tv-out pal mode Greg KH
2010-07-30 17:30 ` [061/140] tpm_tis: fix subsequent suspend failures Greg KH
2010-07-30 17:30 ` [062/140] ipvs: Add missing locking during connection table hashing and unhashing Greg KH
2010-07-30 17:30 ` [063/140] ipv6: fix NULL reference in proxy neighbor discovery Greg KH
2010-07-30 17:30 ` [064/140] netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT Greg KH
2010-07-30 17:30 ` [065/140] SCSI: aacraid: Eliminate use after free Greg KH
2010-07-30 17:30 ` [066/140] md: raid10: Fix null pointer dereference in fix_read_error() Greg KH
2010-07-30 17:30 ` [067/140] amd64-agp: Probe unknown AGP devices the right way Greg KH
2010-07-30 17:30 ` [068/140] amd64_edac: Fix syndrome calculation on K8 Greg KH
2010-07-30 17:30 ` [069/140] perf: Resurrect flat callchains Greg KH
2010-07-30 17:30 ` [070/140] x86: Send a SIGTRAP for user icebp traps Greg KH
2010-07-31 5:39 ` Chuck Ebbert
2010-07-31 12:04 ` Frederic Weisbecker
2010-07-30 17:30 ` [071/140] x86: Fix vsyscall on gcc 4.5 with -Os Greg KH
2010-07-30 17:30 ` [072/140] x86, Calgary: Increase max PHB number Greg KH
2010-07-30 17:30 ` [073/140] x86, Calgary: Limit the max PHB number to 256 Greg KH
2010-07-30 17:30 ` [074/140] sched: Prevent compiler from optimising the sched_avg_update() loop Greg KH
2010-07-30 17:30 ` [075/140] sched: Fix over-scheduling bug Greg KH
2010-07-30 17:30 ` [076/140] genirq: Deal with desc->set_type() changing desc->chip Greg KH
2010-07-30 17:30 ` Greg KH
2010-07-30 17:30 ` [077/140] cfq: Dont allow queue merges for queues that have no process references Greg KH
2010-07-30 17:30 ` [078/140] serial: cpm_uart: implement the cpm_uart_early_write() function for console poll Greg KH
2010-07-30 17:30 ` [079/140] rtc: fix ds1388 time corruption Greg KH
2010-07-30 17:30 ` [080/140] ahci,ata_generic: let ata_generic handle new MBP w/ MCP89 Greg KH
2010-07-30 17:30 ` [081/140] ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL Greg KH
2010-07-30 17:30 ` [082/140] powerpc: Fix logic error in fixup_irqs Greg KH
2010-07-30 17:30 ` [083/140] powerpc/cpm: Reintroduce global spi_pram struct (fixes build issue) Greg KH
2010-07-30 17:30 ` [084/140] powerpc/cpm1: Fix build with various CONFIG_*_UCODE_PATCH combinations Greg KH
2010-07-30 17:30 ` [085/140] sdhci-s3c: add missing remove function Greg KH
2010-07-30 17:30 ` [086/140] edac: mpc85xx: fix MPC85xx dependency Greg KH
2010-07-30 17:30 ` [087/140] ASoC: Remove duplicate AUX definition from WM8776 Greg KH
2010-07-30 17:30 ` [088/140] x86: Fix x2apic preenabled system with kexec Greg KH
2010-07-30 17:30 ` [089/140] IPoIB: Fix world-writable child interface control sysfs attributes Greg KH
2010-07-30 17:30 ` [090/140] Input: i8042 - add Gigabyte Spring Peak to dmi_noloop_table Greg KH
2010-07-30 17:30 ` [091/140] Input: twl40300-keypad - fix handling of "all ground" rows Greg KH
2010-07-30 17:30 ` [092/140] ARM: 6201/1: RealView: Do not use outer_sync() on ARM11MPCore boards with L220 Greg KH
2010-07-30 17:30 ` [093/140] ARM: 6226/1: fix kprobe bug in ldr instruction emulation Greg KH
2010-07-30 17:30 ` [094/140] x86: Do not try to disable hpet if it hasnt been initialized before Greg KH
2010-07-30 17:31 ` [095/140] USB: obey the sysfs power/wakeup setting Greg KH
2010-07-30 17:31 ` [096/140] USB: g_serial: dont set low_latency flag Greg KH
2010-07-30 17:31 ` [097/140] USB: g_serial: fix tty cleanup on unload Greg KH
2010-07-30 17:31 ` [098/140] USB: ehci-mxc: bail out on transceiver problems Greg KH
2010-08-02 12:45 ` Wolfram Sang
2010-08-02 17:10 ` Greg KH
2010-08-02 17:28 ` Daniel Mack
2010-07-30 17:31 ` [099/140] USB: option: add support for 1da5:4518 Greg KH
2010-07-30 17:31 ` [100/140] USB: Add PID for Sierra 250U to drivers/usb/serial/sierra.c Greg KH
2010-07-30 17:31 ` [101/140] USB: ftdi_sio: support for Signalyzer tools based on FTDI chips Greg KH
2010-07-30 17:31 ` [102/140] USB: option: Add support for AMOI Skypephone S2 Greg KH
2010-07-30 17:31 ` [103/140] USB: adds Artisman USB dongle to list of quirky devices Greg KH
2010-07-30 17:31 ` [104/140] USB: sisusbvga: Fix for USB 3.0 Greg KH
2010-07-30 17:31 ` [105/140] USB: add quirk for Broadcom BT dongle Greg KH
2010-07-30 17:31 ` [106/140] USB: FTDI: Add support for the RT System VX-7 radio programming cable Greg KH
2010-07-30 17:31 ` Greg KH [this message]
2010-07-30 17:31 ` [108/140] KVM: MMU: Remove user access when allowing kernel access to gpte.w=0 page Greg KH
2010-07-30 17:31 ` [109/140] KVM: SVM: Handle MCEs early in the vmexit process Greg KH
2010-07-30 17:31 ` [110/140] KVM: SVM: Implement workaround for Erratum 383 Greg KH
2010-07-30 17:31 ` [111/140] KVM: MMU: invalidate and flush on spte small->large page size change Greg KH
2010-07-30 17:31 ` [112/140] KVM: read apic->irr with ioapic lock held Greg KH
2010-07-30 17:31 ` [113/140] futex: futex_find_get_task remove credentails check Greg KH
2010-07-30 17:31 ` [114/140] PM / x86: Save/restore MISC_ENABLE register Greg KH
2010-07-30 17:31 ` [115/140] ACPI: skip checking BM_STS if the BIOS doesnt ask for it Greg KH
2010-07-30 17:31 ` [116/140] ACPI: Unconditionally set SCI_EN on resume Greg KH
2010-07-30 17:31 ` [117/140] libertas/sdio: 8686: set ECSI bit for 1-bit transfers Greg KH
2010-07-30 17:31 ` [118/140] dm9000: fix "BUG: spinlock recursion" Greg KH
2010-07-30 17:31 ` [119/140] firmware_class: fix memory leak - free allocated pages Greg KH
2010-07-30 17:31 ` [120/140] [CPUFREQ] revert "[CPUFREQ] remove rwsem lock from CPUFREQ_GOV_STOP call (second call site)" Greg KH
2010-07-30 17:31 ` [121/140] ALSA: Echoaudio, fix Guru Meditation #00000005.48454C50 Greg KH
2010-07-30 17:31 ` [122/140] V4L/DVB: dvb-core: Fix ULE decapsulation bug Greg KH
2010-07-30 17:31 ` [123/140] V4L/DVB: FusionHDTV: Use quick reads for I2C IR device probing Greg KH
2010-07-30 17:31 ` [124/140] forcedeth: fix tx limit2 flag check Greg KH
2010-07-30 17:31 ` [125/140] staging: rtl8192su: add Support for Belkin F5D8053 v6 Greg KH
2010-07-30 17:31 ` [126/140] MIPS FPU emulator: allow Cause bits of FCSR to be writeable by ctc1 Greg KH
2010-07-30 17:31 ` [127/140] V4L/DVB: budget: Select correct frontends Greg KH
2010-07-30 17:31 ` [128/140] 3c503: Fix IRQ probing Greg KH
2010-07-30 17:31 ` [129/140] cxgb3: fix linkup issue Greg KH
2010-07-30 17:31 ` [130/140] mac80211: fix supported rates IE if AP doesnt give us its rates Greg KH
2010-07-30 17:31 ` [131/140] V4L/DVB: uvcvideo: Add support for unbranded Arkmicro 18ec:3290 webcams Greg KH
2010-07-30 17:31 ` [132/140] V4L/DVB: uvcvideo: Add support for Packard Bell EasyNote MX52 integrated webcam Greg KH
2010-07-30 17:31 ` [133/140] V4L/DVB: uvcvideo: Add support for V4L2_PIX_FMT_Y16 Greg KH
2010-07-30 17:31 ` [134/140] iwlagn: verify flow id in compressed BA packet Greg KH
2010-07-30 17:31 ` [135/140] kbuild: Fix modpost segfault Greg KH
2010-07-30 17:31 ` [136/140] [IA64] Fix spinaphore down_spin() Greg KH
2010-07-30 17:31 ` [137/140] ecryptfs: Bugfix for error related to ecryptfs_hash_buckets Greg KH
2010-07-30 17:31 ` [138/140] ath5k: initialize ah->ah_current_channel Greg KH
2010-07-30 17:31 ` [139/140] Input: RX51 keymap - fix recent compile breakage Greg KH
2010-07-30 17:31 ` [140/140] V4L/DVB (13830): uvcvideo: add another YUYV format GUID for iSight cameras Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100730173112.395986296@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bhutchings@solarflare.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.