Re: [PATCH net-2.6] niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: David Miller <davem@davemloft.net>
To: bhutchings@solarflare.com
Cc: netdev@vger.kernel.org, santwona.behera@sun.com
Subject: Re: [PATCH net-2.6] niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
Date: Wed, 08 Sep 2010 14:03:59 -0700 (PDT)	[thread overview]
Message-ID: <20100908.140359.15225710.davem@davemloft.net> (raw)
In-Reply-To: <1283870119.2270.5.camel@achroite.uk.solarflarecom.com>

From: Ben Hutchings <bhutchings@solarflare.com>
Date: Tue, 07 Sep 2010 15:35:19 +0100

> niu_get_ethtool_tcam_all() assumes that its output buffer is the right
> size, and warns before returning if it is not.  However, the output
> buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
> unprivileged ethtool command.  Therefore this is at least a local
> denial-of-service vulnerability.
> 
> Change it to check before writing each entry and to return an error if
> the buffer is already full.
> 
> Compile-tested only.
> 
> Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>

Good catch, thanks Ben.

> There may be more of these but AFAIK this is the only RXNFC command that
> deals with variable-length data.
> 
> I wonder whether it really makes sense for ethtool getter commands to be
> generally unprivileged.  Does the convenience outweigh the risk of a
> driver bug becoming a local DoS or root hole, or the disclosure of
> information such as (in this case) which flows the administrator
> considers interesting?

I'm ambivalent about this specific case, to be honest.  Although one
argument for what we do now is that often admins do things as root
as little as possible and this helps that.

     prev parent reply	other threads:[~2010-09-08 21:03 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-07 14:35 [PATCH net-2.6] niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL Ben Hutchings
2010-09-08 21:03 ` David Miller [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100908.140359.15225710.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=bhutchings@solarflare.com \
    --cc=netdev@vger.kernel.org \
    --cc=santwona.behera@sun.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).