From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH] ethtool: fix a privilege escalation bug Date: Mon, 15 Oct 2018 21:39:18 -0700 (PDT) Message-ID: <20181015.213918.1656394276439267836.davem@davemloft.net> References: <1539013777-1625-1-git-send-email-wang6495@umn.edu> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: kjlu@umn.edu, f.fainelli@gmail.com, keescook@chromium.org, andrew@lunn.ch, ecree@solarflare.com, ilyal@mellanox.com, ynorov@caviumnetworks.com, alan.brady@intel.com, stephen@networkplumber.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: wang6495@umn.edu Return-path: Received: from shards.monkeyblade.net ([23.128.96.9]:42948 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726780AbeJPM1t (ORCPT ); Tue, 16 Oct 2018 08:27:49 -0400 In-Reply-To: <1539013777-1625-1-git-send-email-wang6495@umn.edu> Sender: netdev-owner@vger.kernel.org List-ID: From: Wenwen Wang Date: Mon, 8 Oct 2018 10:49:35 -0500 > In dev_ethtool(), the eth command 'ethcmd' is firstly copied from the > use-space buffer 'useraddr' and checked to see whether it is > ETHTOOL_PERQUEUE. If yes, the sub-command 'sub_cmd' is further copied from > the user space. Otherwise, 'sub_cmd' is the same as 'ethcmd'. Next, > according to 'sub_cmd', a permission check is enforced through the function > ns_capable(). For example, the permission check is required if 'sub_cmd' is > ETHTOOL_SCOALESCE, but it is not necessary if 'sub_cmd' is > ETHTOOL_GCOALESCE, as suggested in the comment "Allow some commands to be > done by anyone". The following execution invokes different handlers > according to 'ethcmd'. Specifically, if 'ethcmd' is ETHTOOL_PERQUEUE, > ethtool_set_per_queue() is called. In ethtool_set_per_queue(), the kernel > object 'per_queue_opt' is copied again from the user-space buffer > 'useraddr' and 'per_queue_opt.sub_command' is used to determine which > operation should be performed. Given that the buffer 'useraddr' is in the > user space, a malicious user can race to change the sub-command between the > two copies. In particular, the attacker can supply ETHTOOL_PERQUEUE and > ETHTOOL_GCOALESCE to bypass the permission check in dev_ethtool(). Then > before ethtool_set_per_queue() is called, the attacker changes > ETHTOOL_GCOALESCE to ETHTOOL_SCOALESCE. In this way, the attacker can > bypass the permission check and execute ETHTOOL_SCOALESCE. > > This patch enforces a check in ethtool_set_per_queue() after the second > copy from 'useraddr'. If the sub-command is different from the one obtained > in the first copy in dev_ethtool(), an error code EINVAL will be returned. > > Signed-off-by: Wenwen Wang Applied and queued up for -stable.