From: Jakub Kicinski <kuba@kernel.org>
To: Ding Hui <dinghui@sangfor.com.cn>
Cc: Alexander Duyck <alexander.duyck@gmail.com>,
Andrew Lunn <andrew@lunn.ch>,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
pengdonglin@sangfor.com.cn, huangcun@sangfor.com.cn
Subject: Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user
Date: Fri, 2 Jun 2023 22:55:19 -0700 [thread overview]
Message-ID: <20230602225519.66c2c987@kernel.org> (raw)
In-Reply-To: <44905acd-3ac4-cfe5-5e91-d182c1959407@sangfor.com.cn>
On Sat, 3 Jun 2023 09:51:34 +0800 Ding Hui wrote:
> > If that is the case maybe it would just make more sense to just return
> > an error if we are at risk of overrunning the userspace allocated
> > buffer.
>
> In that case, I can modify to return an error, however, I think the
> ENOSPC or EFBIG mentioned in a previous email may not be suitable,
> maybe like others length/size checking return EINVAL.
>
> Another thing I wondered is that should I update the current length
> back to user if user buffer is not enough, assuming we update the new
> length with error returned, the userspace can use it to reallocate
> buffer if he wants to, which can avoid re-call previous ioctl to get
> the new length.
This entire thread presupposes that user provides the length of
the buffer. I don't see that in the code. Take ethtool_get_stats()
as an example, you assume that stats.n_stats is set correctly,
but it's not enforced today. Some app somewhere may pass in zeroed
out stats and work just fine.
next prev parent reply other threads:[~2023-06-03 5:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-01 11:28 [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user Ding Hui
2023-06-01 15:04 ` Alexander H Duyck
2023-06-02 1:46 ` Ding Hui
2023-06-02 12:26 ` Andrew Lunn
2023-06-02 15:01 ` Ding Hui
2023-06-02 15:37 ` Andrew Lunn
2023-06-02 16:01 ` Alexander Duyck
2023-06-02 16:37 ` Andrew Lunn
2023-06-02 18:02 ` Alexander Duyck
2023-06-03 1:51 ` Ding Hui
2023-06-03 5:55 ` Jakub Kicinski [this message]
2023-06-03 7:11 ` Ding Hui
2023-06-04 17:47 ` Jakub Kicinski
2023-06-05 3:39 ` Ding Hui
2023-06-05 18:39 ` Jakub Kicinski
2023-06-08 9:06 ` Ding Hui
2023-06-08 14:17 ` Alexander Duyck
2023-06-09 15:25 ` Ding Hui
2023-06-09 17:13 ` Jakub Kicinski
2023-06-09 17:59 ` Alexander Duyck
2023-06-10 3:47 ` Ding Hui
2023-06-10 4:01 ` Ding Hui
2023-06-02 15:30 ` Alexander Duyck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230602225519.66c2c987@kernel.org \
--to=kuba@kernel.org \
--cc=alexander.duyck@gmail.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=dinghui@sangfor.com.cn \
--cc=edumazet@google.com \
--cc=huangcun@sangfor.com.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pengdonglin@sangfor.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.