From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wenwen Wang Subject: [PATCH] net: socket: fix a missing-check bug Date: Sat, 20 Oct 2018 10:58:10 -0500 Message-ID: <1540051091-16604-1-git-send-email-wang6495@umn.edu> Cc: Kangjie Lu , "David S. Miller" , netdev@vger.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@vger.kernel.org (open list) To: Wenwen Wang Return-path: Received: from mta-p5.oit.umn.edu ([134.84.196.205]:52850 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727413AbeJUAJO (ORCPT ); Sat, 20 Oct 2018 20:09:14 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id E4661B1C for ; Sat, 20 Oct 2018 15:58:18 +0000 (UTC) Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9RvcBONsdOn for ; Sat, 20 Oct 2018 10:58:18 -0500 (CDT) Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id B7297913 for ; Sat, 20 Oct 2018 10:58:18 -0500 (CDT) Received: by mail-io1-f71.google.com with SMTP id o7-v6so13518283ioh.22 for ; Sat, 20 Oct 2018 08:58:18 -0700 (PDT) Sender: netdev-owner@vger.kernel.org List-ID: In ethtool_ioctl(), the ioctl command is firstly obtained from the user-space buffer 'compat_rxnfc' through get_user() and saved to 'ethcmd'. Then, 'ethcmd' is checked to see whether it is necessary to pre-process the ethool structure, because the structure ethtool_rxnfc is defined with padding, as mentioned in the comment. If yes, a user-space buffer 'rxnfc' is allocated through compat_alloc_user_space() and then the data in the original buffer 'compat_rxnfc' is copied to 'rxnfc' through copy_in_user(), including the ioctl command. It is worth noting that after this copy, there is no check enforced on the copied ioctl command. That means it is possible that 'rxnfc->cmd' is different from 'ethcmd', because a malicious user can race to modify the ioctl command in 'compat_rxnfc' between these two copies. Eventually, the ioctl command in 'rxnfc' will be used in dev_ethtool(). This can cause undefined behavior of the kernel and introduce potential security risk. This patch avoids the above issue by rewriting 'rxnfc->cmd' using 'ethcmd' after copy_in_user(). Signed-off-by: Wenwen Wang --- net/socket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/socket.c b/net/socket.c index 01f3f8f..c5f969c 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2879,6 +2879,8 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32) copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt, sizeof(rxnfc->rule_cnt))) return -EFAULT; + + rxnfc->cmd = ethcmd; } ret = dev_ioctl(net, SIOCETHTOOL, &ifr, NULL); -- 2.7.4