From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Wenwen Wang <wang6495@umn.edu>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.4 24/25] net: cxgb3_main: fix a missing-check bug
Date: Tue, 16 Oct 2018 00:16:05 -0400 [thread overview]
Message-ID: <20181016041606.135876-24-sashal@kernel.org> (raw)
In-Reply-To: <20181016041606.135876-1-sashal@kernel.org>
From: Wenwen Wang <wang6495@umn.edu>
[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ]
In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
the user-space buffer 'useraddr' to 'cmd' and checked through the
switch statement. If the command is not as expected, an error code
EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
switch statement, the whole buffer of 'useraddr' is copied again to a
specific data structure, according to what kind of command is requested.
However, after the second copy, there is no re-check on the newly-copied
command. Given that the buffer 'useraddr' is in the user space, a malicious
user can race to change the command between the two copies. By doing so,
the attacker can supply malicious data to the kernel and cause undefined
behavior.
This patch adds a re-check in each case of the switch statement if there is
a second copy in that case, to re-check whether the command obtained in the
second copy is the same as the one in the first copy. If not, an error code
EINVAL is returned.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
index 7ae8374bff13..3dd4c39640dc 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -2147,6 +2147,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
return -EPERM;
if (copy_from_user(&t, useraddr, sizeof(t)))
return -EFAULT;
+ if (t.cmd != CHELSIO_SET_QSET_PARAMS)
+ return -EINVAL;
if (t.qset_idx >= SGE_QSETS)
return -EINVAL;
if (!in_range(t.intr_lat, 0, M_NEWTIMER) ||
@@ -2246,6 +2248,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
if (copy_from_user(&t, useraddr, sizeof(t)))
return -EFAULT;
+ if (t.cmd != CHELSIO_GET_QSET_PARAMS)
+ return -EINVAL;
+
/* Display qsets for all ports when offload enabled */
if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) {
q1 = 0;
@@ -2291,6 +2296,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
return -EBUSY;
if (copy_from_user(&edata, useraddr, sizeof(edata)))
return -EFAULT;
+ if (edata.cmd != CHELSIO_SET_QSET_NUM)
+ return -EINVAL;
if (edata.val < 1 ||
(edata.val > 1 && !(adapter->flags & USING_MSIX)))
return -EINVAL;
@@ -2331,6 +2338,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
return -EPERM;
if (copy_from_user(&t, useraddr, sizeof(t)))
return -EFAULT;
+ if (t.cmd != CHELSIO_LOAD_FW)
+ return -EINVAL;
/* Check t.len sanity ? */
fw_data = memdup_user(useraddr + sizeof(t), t.len);
if (IS_ERR(fw_data))
@@ -2354,6 +2363,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
return -EBUSY;
if (copy_from_user(&m, useraddr, sizeof(m)))
return -EFAULT;
+ if (m.cmd != CHELSIO_SETMTUTAB)
+ return -EINVAL;
if (m.nmtus != NMTUS)
return -EINVAL;
if (m.mtus[0] < 81) /* accommodate SACK */
@@ -2395,6 +2406,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
return -EBUSY;
if (copy_from_user(&m, useraddr, sizeof(m)))
return -EFAULT;
+ if (m.cmd != CHELSIO_SET_PM)
+ return -EINVAL;
if (!is_power_of_2(m.rx_pg_sz) ||
!is_power_of_2(m.tx_pg_sz))
return -EINVAL; /* not power of 2 */
@@ -2428,6 +2441,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
return -EIO; /* need the memory controllers */
if (copy_from_user(&t, useraddr, sizeof(t)))
return -EFAULT;
+ if (t.cmd != CHELSIO_GET_MEM)
+ return -EINVAL;
if ((t.addr & 7) || (t.len & 7))
return -EINVAL;
if (t.mem_id == MEM_CM)
@@ -2480,6 +2495,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
return -EAGAIN;
if (copy_from_user(&t, useraddr, sizeof(t)))
return -EFAULT;
+ if (t.cmd != CHELSIO_SET_TRACE_FILTER)
+ return -EINVAL;
tp = (const struct trace_params *)&t.sip;
if (t.config_tx)
--
2.17.1
next prev parent reply other threads:[~2018-10-16 4:16 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-16 4:15 [PATCH AUTOSEL 4.4 01/25] xfrm: Validate address prefix lengths in the xfrm selector Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 02/25] xfrm6: call kfree_skb when skb is toobig Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 03/25] mac80211: Always report TX status Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 04/25] cfg80211: reg: Init wiphy_idx in regulatory_hint_core() Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 05/25] cfg80211: Address some corner cases in scan result channel updating Sasha Levin
2018-11-02 9:19 ` Greg KH
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 06/25] ARM: 8799/1: mm: fix pci_ioremap_io() offset check Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 07/25] xfrm: validate template mode Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 08/25] mac80211_hwsim: do not omit multicast announce of first added radio Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 09/25] Bluetooth: SMP: fix crash in unpairing Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 10/25] pxa168fb: prepare the clock Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 11/25] bonding: avoid possible dead-lock Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 12/25] bnxt_en: Fix TX timeout during netpoll Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 13/25] asix: Check for supported Wake-on-LAN modes Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 14/25] ax88179_178a: " Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 15/25] lan78xx: " Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 16/25] sr9800: " Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 17/25] r8152: Check for supported Wake-on-LAN Modes Sasha Levin
2018-10-16 4:15 ` [PATCH AUTOSEL 4.4 18/25] smsc75xx: Check for Wake-on-LAN modes Sasha Levin
2018-10-16 4:16 ` [PATCH AUTOSEL 4.4 19/25] smsc95xx: " Sasha Levin
2018-10-16 4:16 ` [PATCH AUTOSEL 4.4 20/25] qlcnic: fix Tx descriptor corruption on 82xx devices Sasha Levin
2018-10-16 4:16 ` [PATCH AUTOSEL 4.4 21/25] i2c: i2c-scmi: fix for i2c_smbus_write_block_data Sasha Levin
2018-10-16 4:16 ` [PATCH AUTOSEL 4.4 22/25] perf/ring_buffer: Prevent concurent ring buffer access Sasha Levin
2018-10-16 4:16 ` [PATCH AUTOSEL 4.4 23/25] net/usb: cancel pending work when unbinding smsc75xx Sasha Levin
2018-10-16 4:16 ` Sasha Levin [this message]
2018-10-16 4:16 ` [PATCH AUTOSEL 4.4 25/25] mm/vmstat.c: fix outdated vmstat_text Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181016041606.135876-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wang6495@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox