From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH] net: cxgb3_main: fix a missing-check bug Date: Fri, 05 Oct 2018 11:47:35 -0700 (PDT) Message-ID: <20181005.114735.1078401743683539709.davem@davemloft.net> References: <1538747307-21403-1-git-send-email-wang6495@umn.edu> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: kjlu@umn.edu, santosh@chelsio.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: wang6495@umn.edu Return-path: In-Reply-To: <1538747307-21403-1-git-send-email-wang6495@umn.edu> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org From: Wenwen Wang Date: Fri, 5 Oct 2018 08:48:27 -0500 > In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from > the user-space buffer 'useraddr' to 'cmd' and checked through the > switch statement. If the command is not as expected, an error code > EOPNOTSUPP is returned. In the following execution, i.e., the cases of the > switch statement, the whole buffer of 'useraddr' is copied again to a > specific data structure, according to what kind of command is requested. > However, after the second copy, there is no re-check on the newly-copied > command. Given that the buffer 'useraddr' is in the user space, a malicious > user can race to change the command between the two copies. By doing so, > the attacker can supply malicious data to the kernel and cause undefined > behavior. > > This patch adds a re-check in each case of the switch statement if there is > a second copy in that case, to re-check whether the command obtained in the > second copy is the same as the one in the first copy. If not, an error code > EINVAL is returned. > > Signed-off-by: Wenwen Wang Applied.