Received: by 10.192.165.148 with SMTP id m20csp3260753imm; Sun, 29 Apr 2018 18:33:13 -0700 (PDT) X-Google-Smtp-Source: AB8JxZomMZYDiCeRIudV/mP1W88EsK61KcVZgIuYZAdFhTgx2VRkPWekqdvRcSgPwpC9qoc5tMdt X-Received: by 10.98.18.212 with SMTP id 81mr10345671pfs.243.1525051993944; Sun, 29 Apr 2018 18:33:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525051993; cv=none; d=google.com; s=arc-20160816; b=vF6/8WIQWE8YIJaERqUgZEtkUpud5cXAcIIsRX0m1P/mm+uvknbFo5CGCYAAuv/1Pp dY0uqoQmDaQihoAPAOPAz4Bkj2TNH88IbFQM5Ca3xZv6cS2nvH7oc+xTrDwj7S204Ih9 fYC46Pwrty0UJ+rO2itX3NWFPD9jwGRnXBsvLB8cIPbhY4zYHD/L+08qSFSODjF+Zre7 qB5t/oopxvbRXVdbsH6umU4CaWcjm8ekyfQSKJ+df200RiKe/5U31WUe7hM5CGYNND1u WOWk2VcyopcqXnD5IIvJGSA6F16324RpkxTvHijo0pA7bFqid3EuLt+Uj7VLAo2/RVWw tYLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=SF/34z0w/Sv4JtM60F6jewPWNbIgI8xSobkusTg5Btw=; b=MRdUphjIEXTO8iO81D05mupEtqd52G0IPtuavjklScOKLJl3riVOt6LCBxFTqhM3x2 dozQNBocZBm4O2Mt9XiT5dwkE/pjndevcS61eV51R/m9S7nXuWbk/AnaZ00rUwWHMgVG Aeb+ManLfku6m/t/FQezu1bXDMmKoD9nBYkzt0qLik0z4Ri8+U0WBwZ366GYM3WfrdLd XMiTp/iXvaM+HfRspC02m6JjVewrfxVwudXw+7ZjJ6lUEXyADzreR6ULgU1PrCOHHCcV hB/aR/6DGpBk58KpGg5u/bpS9AWcxR9MDB9fZo/ipTpBWajI304zZks3Qn5w/06F7FjM K6uQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=lAOkk3cE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ay3-v6si6529851plb.361.2018.04.29.18.32.31; Sun, 29 Apr 2018 18:33:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=lAOkk3cE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753701AbeD3BcX (ORCPT + 99 others); Sun, 29 Apr 2018 21:32:23 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:35236 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753514AbeD3BcW (ORCPT ); Sun, 29 Apr 2018 21:32:22 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4227B793 for ; Mon, 30 Apr 2018 01:32:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzzgaZc-5utz for ; Sun, 29 Apr 2018 20:32:21 -0500 (CDT) Received: from mail-io0-f198.google.com (mail-io0-f198.google.com [209.85.223.198]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 131117A0 for ; Sun, 29 Apr 2018 20:32:21 -0500 (CDT) Received: by mail-io0-f198.google.com with SMTP id o194-v6so7802886iod.21 for ; Sun, 29 Apr 2018 18:32:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=SF/34z0w/Sv4JtM60F6jewPWNbIgI8xSobkusTg5Btw=; b=lAOkk3cEG2bELQWSgHoTCAZtRncugpx3UGJPApTsARxHOr+Kid/zeISimUdUh7epIm fVbE+Rede2vENa0BIQlTklxy88HWG3Iczcjmhp35q65fEI1GyNGFkc9ERYcumsfZBFBv h2OhxCd6eQcNZUJPmS17XvKH1axbYVQ/77SQf1c+V/fwDQCJBdDVvJ4k2Dn3Zx7y6sP6 K/6N04hPWI/pTp7MneBz3Hm7PQ+FM5CkWnmHjFXShjW3RgixqDjajezb/w/AQ2GgOM5m 5fCmWs2bWJ5+EIi/HmUy2iRz6kbTosKH+UnAcgYNWJ4hICOxHam6EttxjKyhiU0R0GXx 3g8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=SF/34z0w/Sv4JtM60F6jewPWNbIgI8xSobkusTg5Btw=; b=Lqnzod/c8Va/F2Pz5Ozm2FpP28FIVNjTJ5mzSTMt0EBdyHHQdo788uWfJWeHm8wBbS ldswXWKL5xcmC9px4cjpF8N0MeEkbIZD/5tqKIu8+t2hj5oL4vNohDS+5tg8Gf9GP6v7 tL54E3v5svOUAqlhoVPHpKuzkt9K/itMx+l1cyRiD9hCoaNZK3I62YNIK/bkixM1TKR/ csIT5FMkNoX9MyYLXiT6OsZNoVdjtN/ho311UgMt8AHuXZLRSAbMA533zdlJe+2Ftv6m Ipk/2NP/hIHjXWUeL0aEarwhnc6w7jO01Xi7FK6Q8CfY69nPgffHaK/mtc/36V33WJsa gd+w== X-Gm-Message-State: ALQs6tDW18h3GNiATjMtNEPzFXhzv3cEK7+U9rmAWm6SyBxO1O780D8J ONBLSd3Gvk++Qde0aTsQTu2qd04POaSXX3l4MlZrz42je5Czq27Noqw18cBrwNluor2uKyCRLve Qb9xSsM7JjVxRdI4SfTWQt4k30OLR X-Received: by 2002:a24:2796:: with SMTP id g144-v6mr10525685ita.71.1525051940694; Sun, 29 Apr 2018 18:32:20 -0700 (PDT) X-Received: by 2002:a24:2796:: with SMTP id g144-v6mr10525674ita.71.1525051940449; Sun, 29 Apr 2018 18:32:20 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id l22-v6sm3022378ita.8.2018.04.29.18.32.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Apr 2018 18:32:19 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , "David S. Miller" , Florian Fainelli , Andrew Lunn , Russell King , Edward Cree , Inbar Karmy , Eugenia Emantayev , Al Viro , Yury Norov , Vidya Sagar Ravipati , Alan Brady , Stephen Hemminger , netdev@vger.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] ethtool: fix a potential missing-check bug Date: Sun, 29 Apr 2018 20:31:54 -0500 Message-Id: <1525051915-31944-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In ethtool_get_rxnfc(), the object "info" is firstly copied from user-space. If the FLOW_RSS flag is set in the member field flow_type of "info" (and cmd is ETHTOOL_GRXFH), info needs to be copied again from user-space because FLOW_RSS is newer and has new definition, as mentioned in the comment. However, given that the user data resides in user-space, a malicious user can race to change the data after the first copy. By doing so, the user can inject inconsistent data. For example, in the second copy, the FLOW_RSS flag could be cleared in the field flow_type of "info". In the following execution, "info" will be used in the function ops->get_rxnfc(). Such inconsistent data can potentially lead to unexpected information leakage since ops->get_rxnfc() will prepare various types of data according to flow_type, and the prepared data will be eventually copied to user-space. This inconsistent data may also cause undefined behaviors based on how ops->get_rxnfc() is implemented. This patch re-verifies the flow_type field of "info" after the second copy. If the value is not as expected, an error code will be returned. Signed-off-by: Wenwen Wang --- net/core/ethtool.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index 03416e6..a121034 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -1032,6 +1032,8 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, info_size = sizeof(info); if (copy_from_user(&info, useraddr, info_size)) return -EFAULT; + if (!(info.flow_type & FLOW_RSS)) + return -EINVAL; } if (info.cmd == ETHTOOL_GRXCLSRLALL) { -- 2.7.4