* [PATCH] net: tehuti: don't process data if it has not been copied from userspace
@ 2017-07-19 17:46 Colin King
2017-07-20 5:49 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Colin King @ 2017-07-19 17:46 UTC (permalink / raw)
To: Andy Gospodarek, netdev; +Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
The array data is only populated with valid information from userspace
if cmd != SIOCDEVPRIVATE, other cases the array contains garbage on
the stack. The subsequent switch statement acts on a subcommand in
data[0] which could be any garbage value if cmd is SIOCDEVPRIVATE which
seems incorrect to me. Instead, just return EOPNOTSUPP for the case
where cmd == SIOCDEVPRIVATE to avoid this issue.
As a side note, I suspect that the original intention of the code
was for this ioctl to work just for cmd == SIOCDEVPRIVATE (and the
current logic is reversed). However, I don't wont to change the current
semantics in case any userspace code relies on this existing behaviour.
Detected by CoverityScan, CID#139647 ("Uninitialized scalar variable")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/net/ethernet/tehuti/tehuti.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/tehuti/tehuti.c b/drivers/net/ethernet/tehuti/tehuti.c
index 711fbbbc4b1f..163d8d16bc24 100644
--- a/drivers/net/ethernet/tehuti/tehuti.c
+++ b/drivers/net/ethernet/tehuti/tehuti.c
@@ -654,6 +654,8 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
RET(-EFAULT);
}
DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]);
+ } else {
+ return -EOPNOTSUPP;
}
if (!capable(CAP_SYS_RAWIO))
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] net: tehuti: don't process data if it has not been copied from userspace
2017-07-19 17:46 [PATCH] net: tehuti: don't process data if it has not been copied from userspace Colin King
@ 2017-07-20 5:49 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-07-20 5:49 UTC (permalink / raw)
To: colin.king; +Cc: andy, netdev, kernel-janitors, linux-kernel
From: Colin King <colin.king@canonical.com>
Date: Wed, 19 Jul 2017 18:46:59 +0100
> From: Colin Ian King <colin.king@canonical.com>
>
> The array data is only populated with valid information from userspace
> if cmd != SIOCDEVPRIVATE, other cases the array contains garbage on
> the stack. The subsequent switch statement acts on a subcommand in
> data[0] which could be any garbage value if cmd is SIOCDEVPRIVATE which
> seems incorrect to me. Instead, just return EOPNOTSUPP for the case
> where cmd == SIOCDEVPRIVATE to avoid this issue.
>
> As a side note, I suspect that the original intention of the code
> was for this ioctl to work just for cmd == SIOCDEVPRIVATE (and the
> current logic is reversed). However, I don't wont to change the current
> semantics in case any userspace code relies on this existing behaviour.
>
> Detected by CoverityScan, CID#139647 ("Uninitialized scalar variable")
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
Yeah this is the safest change for now, applied.
Francois added the register address range checking a year after the
driver was added, so maybe someone used this facility.
It should have been done via ethtool getregs...
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-07-20 5:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-19 17:46 [PATCH] net: tehuti: don't process data if it has not been copied from userspace Colin King
2017-07-20 5:49 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).