From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH] ethtool: fix a missing-check bug Date: Mon, 15 Oct 2018 21:39:28 -0700 (PDT) Message-ID: <20181015.213928.1979135633281436819.davem@davemloft.net> References: <1539090940-5323-1-git-send-email-wang6495@umn.edu> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: kjlu@umn.edu, f.fainelli@gmail.com, keescook@chromium.org, ilyal@mellanox.com, ecree@solarflare.com, ynorov@caviumnetworks.com, alan.brady@intel.com, eugenia@mellanox.com, stephen@networkplumber.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: wang6495@umn.edu Return-path: In-Reply-To: <1539090940-5323-1-git-send-email-wang6495@umn.edu> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org From: Wenwen Wang Date: Tue, 9 Oct 2018 08:15:38 -0500 > In ethtool_get_rxnfc(), the eth command 'cmd' is compared against > 'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable > 'info_size'. Then the whole structure of 'info' is copied from the > user-space buffer 'useraddr' with 'info_size' bytes. In the following > execution, 'info' may be copied again from the buffer 'useraddr' depending > on the 'cmd' and the 'info.flow_type'. However, after these two copies, > there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also > copied from the buffer 'useraddr' in dev_ethtool(), which is the caller > function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user > space, a malicious user can race to change the eth command in the buffer > between these copies. By doing so, the attacker can supply inconsistent > data and cause undefined behavior because in the following execution 'info' > will be passed to ops->get_rxnfc(). > > This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that > they are still same after the two copies in ethtool_get_rxnfc(). Otherwise, > an error code EINVAL will be returned. > > Signed-off-by: Wenwen Wang Applied.