From: Ben Hutchings <bhutchings@solarflare.com>
To: Michal Schmidt <mschmidt@redhat.com>
Cc: David Miller <davem@davemloft.net>, <netdev@vger.kernel.org>,
"Anirban Chakraborty" <anirban.chakraborty@qlogic.com>
Subject: Re: [PATCH net-next] ethtool: make .get_dump_data() harder to misuse by drivers
Date: Mon, 1 Jul 2013 16:53:55 +0100 [thread overview]
Message-ID: <1372694035.2083.0.camel@bwh-desktop.uk.level5networks.com> (raw)
In-Reply-To: <1372692210-31131-1-git-send-email-mschmidt@redhat.com>
On Mon, 2013-07-01 at 17:23 +0200, Michal Schmidt wrote:
> As the patch "bnx2x: remove zeroing of dump data buffer" showed,
> it is too easy implement .get_dump_data incorrectly in a driver.
>
> Let's make sure drivers cannot get confused by userspace requesting
> a too big dump.
>
> Also WARN if the driver sets dump->len to something weird and make
> sure the length reported to userspace is the actual length of data
> copied to userspace.
>
> Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> net/core/ethtool.c | 21 ++++++++++++++++++++-
> 1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index ce91766..3b71cdb 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -1319,10 +1319,19 @@ static int ethtool_get_dump_data(struct net_device *dev,
> if (ret)
> return ret;
>
> - len = (tmp.len > dump.len) ? dump.len : tmp.len;
> + len = min(tmp.len, dump.len);
> if (!len)
> return -EFAULT;
>
> + /* Don't ever let the driver think there's more space available
> + * than it requested with .get_dump_flag().
> + */
> + dump.len = len;
> +
> + /* Always allocate enough space to hold the whole thing so that the
> + * driver does not need to check the length and bother with partial
> + * dumping.
> + */
> data = vzalloc(tmp.len);
> if (!data)
> return -ENOMEM;
> @@ -1330,6 +1339,16 @@ static int ethtool_get_dump_data(struct net_device *dev,
> if (ret)
> goto out;
>
> + /* There are two sane possibilities:
> + * 1. The driver's .get_dump_data() does not touch dump.len.
> + * 2. Or it may set dump.len to how much it really writes, which
> + * should be tmp.len (or len if it can do a partial dump).
> + * In any case respond to userspace with the actual length of data
> + * it's receiving.
> + */
> + WARN_ON(dump.len != len && dump.len != tmp.len);
> + dump.len = len;
> +
> if (copy_to_user(useraddr, &dump, sizeof(dump))) {
> ret = -EFAULT;
> goto out;
--
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
next prev parent reply other threads:[~2013-07-01 15:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-01 15:23 [PATCH net-next] ethtool: make .get_dump_data() harder to misuse by drivers Michal Schmidt
2013-07-01 15:53 ` Ben Hutchings [this message]
2013-07-02 7:16 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1372694035.2083.0.camel@bwh-desktop.uk.level5networks.com \
--to=bhutchings@solarflare.com \
--cc=anirban.chakraborty@qlogic.com \
--cc=davem@davemloft.net \
--cc=mschmidt@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox