From: Kees Cook <kees.cook@canonical.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: linux-kernel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
Ben Hutchings <bhutchings@solarflare.com>,
Jeff Garzik <jgarzik@redhat.com>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>,
Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH] net: clear heap allocations for privileged ethtool actions
Date: Thu, 7 Oct 2010 14:40:21 -0700 [thread overview]
Message-ID: <20101007214021.GL14666@outflux.net> (raw)
In-Reply-To: <1286487085.3745.99.camel@edumazet-laptop>
Hi Eric,
On Thu, Oct 07, 2010 at 11:31:25PM +0200, Eric Dumazet wrote:
> Le jeudi 07 octobre 2010 à 14:10 -0700, Kees Cook a écrit :
> > Several other ethtool functions leave heap uncleared (potentially) by
> > drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
> > are well controlled. In some situations (e.g. unchecked error conditions),
> > the heap will remain unchanged in areas before copying back to userspace.
> > Note that these are less of an issue since these all require CAP_NET_ADMIN.
>
> > @@ -775,7 +775,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
> > if (regs.len > reglen)
> > regs.len = reglen;
> >
> > - regbuf = kmalloc(reglen, GFP_USER);
> > + regbuf = kzalloc(reglen, GFP_USER);
> > if (!regbuf)
> > return -ENOMEM;
> >
> > --
> > 1.7.1
> >
>
> Are you sure this is not hiding a more problematic problem ?
>
> Code does :
>
> reglen = ops->get_regs_len(dev);
> if (regs.len > reglen)
> regs.len = reglen;
> regbuf = kmalloc(reglen, GFP_USER);
>
> So we can not copy back kernel memory.
>
> However, what happens if user provides regs.len = 1 byte, and driver
> get_regs() doesnt properly checks regs.len and write past end of regbuf
> -> We probably write on other parts of kernel memory
This code is basically a max() call from what I see.
regbuf = kmalloc(max(regs.len, ops->get_regs_len(dev)), GFP_USER);
If the user passes regs.len = 1, it will be ignored in favor of reglen,
so we'll not write past the end of regbuf, unless I'm misunderstanding.
-Kees
--
Kees Cook
Ubuntu Security Team
next prev parent reply other threads:[~2010-10-07 21:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-07 21:10 [PATCH] net: clear heap allocations for privileged ethtool actions Kees Cook
2010-10-07 21:31 ` Eric Dumazet
2010-10-07 21:40 ` Ben Hutchings
2010-10-07 21:40 ` Kees Cook [this message]
2010-10-07 21:34 ` Ben Hutchings
2010-10-11 19:24 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101007214021.GL14666@outflux.net \
--to=kees.cook@canonical.com \
--cc=bhutchings@solarflare.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=jeffrey.t.kirsher@intel.com \
--cc=jgarzik@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peter.p.waskiewicz.jr@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.