[PATCH] net: clear heap allocation for ETHTOOL

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] net: clear heap allocation for ETHTOOL_GRXCLSRLALL
@ 2010-10-07 20:03 Kees Cook
  2010-10-07 20:28 ` Ben Hutchings
  0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2010-10-07 20:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: David S. Miller, Ben Hutchings, Jeff Garzik, Jeff Kirsher,
	Peter P Waskiewicz Jr, netdev

Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
heap without clearing it. For the one driver (niu) that implements it,
it will leave the unused portion of heap unchanged and copy the full
contents back to userspace.

Cc: stable@kernel.org
Signed-off-by: Kees Cook <kees.cook@canonical.com>
---
 net/core/ethtool.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 7a85367..4016ac6 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
 	if (info.cmd == ETHTOOL_GRXCLSRLALL) {
 		if (info.rule_cnt > 0) {
 			if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
-				rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
+				rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
 						   GFP_USER);
 			if (!rule_buf)
 				return -ENOMEM;
-- 
1.7.1

-- 
Kees Cook
Ubuntu Security Team

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] net: clear heap allocation for ETHTOOL_GRXCLSRLALL
  2010-10-07 20:03 [PATCH] net: clear heap allocation for ETHTOOL_GRXCLSRLALL Kees Cook
@ 2010-10-07 20:28 ` Ben Hutchings
  2010-10-08 17:49   ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Ben Hutchings @ 2010-10-07 20:28 UTC (permalink / raw)
  To: Kees Cook
  Cc: linux-kernel, David S. Miller, Jeff Garzik, Jeff Kirsher,
	Peter P Waskiewicz Jr, netdev

On Thu, 2010-10-07 at 13:03 -0700, Kees Cook wrote:
> Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
> heap without clearing it. For the one driver (niu) that implements it,
> it will leave the unused portion of heap unchanged and copy the full
> contents back to userspace.
> 
> Cc: stable@kernel.org
> Signed-off-by: Kees Cook <kees.cook@canonical.com>

Acked-by: Ben Hutchings <bhutchings@solarflare.com>

Should have spotted this myself. :-(

Ben.

> ---
>  net/core/ethtool.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index 7a85367..4016ac6 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
>  	if (info.cmd == ETHTOOL_GRXCLSRLALL) {
>  		if (info.rule_cnt > 0) {
>  			if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
> -				rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
> +				rule_buf = kzalloc(info.rule_cnt * sizeof(u32),
>  						   GFP_USER);
>  			if (!rule_buf)
>  				return -ENOMEM;
> -- 
> 1.7.1
> 

-- 
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] net: clear heap allocation for ETHTOOL_GRXCLSRLALL
  2010-10-07 20:28 ` Ben Hutchings
@ 2010-10-08 17:49   ` David Miller
  0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2010-10-08 17:49 UTC (permalink / raw)
  To: bhutchings
  Cc: kees.cook, linux-kernel, jgarzik, jeffrey.t.kirsher,
	peter.p.waskiewicz.jr, netdev

From: Ben Hutchings <bhutchings@solarflare.com>
Date: Thu, 07 Oct 2010 21:28:58 +0100

> On Thu, 2010-10-07 at 13:03 -0700, Kees Cook wrote:
>> Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
>> heap without clearing it. For the one driver (niu) that implements it,
>> it will leave the unused portion of heap unchanged and copy the full
>> contents back to userspace.
>> 
>> Cc: stable@kernel.org
>> Signed-off-by: Kees Cook <kees.cook@canonical.com>
> 
> Acked-by: Ben Hutchings <bhutchings@solarflare.com>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-10-08 17:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-07 20:03 [PATCH] net: clear heap allocation for ETHTOOL_GRXCLSRLALL Kees Cook
2010-10-07 20:28 ` Ben Hutchings
2010-10-08 17:49   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).