Received: by 10.192.165.148 with SMTP id m20csp4036388imm; Mon, 30 Apr 2018 10:32:28 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpKiIaK/f0PZSCT5XA/oSc91t++2+EESW/EjkVOwxj6CFjv2rn4glM5U/GXKR2068DJXLaY X-Received: by 2002:a65:5bcc:: with SMTP id o12-v6mr10369499pgr.81.1525109548163; Mon, 30 Apr 2018 10:32:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525109548; cv=none; d=google.com; s=arc-20160816; b=cbNvbbMqqy+ORJHjfbfap+Mu8KVGaocnlHEBsm43FMAayEABSyhkuZC3QrV5kzObvy pLLn6qrMwAu7KIyz7QS9ea0pvLXaWe5evBbRPFSAXN2ykVWnJSUGBmaDxZF12A6/Xuz6 cAyhVPUODRMhYeSSxKwx5iujuy9gz7rczyzDplpq8HdbCoZa4UYA+TOqv1nG4BXJiF7Q UwDr3QLctREHaTvLOoEJzOd54s/pzaqXV57yeTLKZ9ifK7YgSU+TSIng7bn2762HaXZe Rzvyfg5/lGSHq4kxOHhkMJRA6yvRisj73T3TqRBchSprawcsNanQO/8BtHIitUz6+gnQ Bk0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=MN8nINskdZj/pZB87dDzhkOSe3lMkI3soWRBH4p+BCk=; b=cgJg/eNN0UCkmHBe5nJiRqeh9jOWzCP6guhoGl38Nd3nGoVfU9+//yLtnbJoNwkPiA bFGVX8PWXidS/LocGvhqTdeiH196NSJ0o0v+oeH9y2prbLhTxBm+xZWQVtR7kIQVHANo 50FHz/ZEIv/oUNKZpgugDxX6Wk/VbtAgFCCNTY30M/xpTFFuoippZDDVseXaXQB6BTFU ptdCib2YRU+VMEKu5A+xS9WBjPkC+PCEFlrGFBb1Ze8I8PXXQgyh8RVet6T0zG6tx3i0 19ZyCEemLsnB3+huFSCmEym8sD1ZLl+BrVc5wLZZxFp6KDy9VPijzgAjqXJIa5WYYJPg hYHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=CVSfSAhi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e9-v6si7877120plt.209.2018.04.30.10.32.14; Mon, 30 Apr 2018 10:32:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=CVSfSAhi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754183AbeD3RcB (ORCPT + 99 others); Mon, 30 Apr 2018 13:32:01 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:59636 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752732AbeD3Rb7 (ORCPT ); Mon, 30 Apr 2018 13:31:59 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 38CA0A0B for ; Mon, 30 Apr 2018 17:31:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOuDr3r1-sgM for ; Mon, 30 Apr 2018 12:31:58 -0500 (CDT) Received: from mail-it0-f71.google.com (mail-it0-f71.google.com [209.85.214.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 006BECE6 for ; Mon, 30 Apr 2018 12:31:36 -0500 (CDT) Received: by mail-it0-f71.google.com with SMTP id l71-v6so8234987itb.1 for ; Mon, 30 Apr 2018 10:31:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=MN8nINskdZj/pZB87dDzhkOSe3lMkI3soWRBH4p+BCk=; b=CVSfSAhi4+DiNipc/ctSVJKIz3bRTTMeQi/UpQQbS+zBVThmHllvZpwL0Kmk8BkrzQ RlHj7sGnOFMzdMNe1KzNWMHSkHD2i0FLpjzkwStdGxVpmsVawODb8Id+dZdbvHWjaDgT np9PEN61vnDyVc/ba3Li7QxdgQVwP1VMLHVmPBRXKZ2FNsQhKOCNTnkRMVf2HHcTQ4WM E8K1ZNbYGJkva5m5WxJtoxEVvwzUlgl0jc89sZsOnhaw+Rv8I3bPcVXFPr7ki2wifuRN pyroI7D8M1fSZpAcevGP4uY4wYMDaCKa18iF7bwGVTxBhaiHwjhqoWAORNlQ60/Qsexd zIVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MN8nINskdZj/pZB87dDzhkOSe3lMkI3soWRBH4p+BCk=; b=jLL47OzATEcRW/DiT/aRfpds+AWd3JH1BXfbtZI1PQwS/FuFfAWmqST1Mjb929Ew/0 CnYl4bgPlrxNUCMcC/DL1b71YGbp1Cwt2/sINAZ1iQIKiDS8j7sWcgqG92BT175R2mxW IQex7jifpRzAL3joQY5gF9lV0l1FXdTWCaip3nen3xWFZkojlG8ejL6feIuHXUiHsMQK ZDv7FbJNV9XRNo1o8XYSJTNqjKEsSaTUpUrxjCqSAluNJw7+9/bPjIawz2Ft2tQBTnVW OeO1fxQiVIBNyjD54Ppz8lVJ9h9jv9tORb/oHiKnNa/UrEWWnXjEpdNoAINOKntLzG8N JV0A== X-Gm-Message-State: ALQs6tDH+gHTC2TuaHYmdULCV6cYxobQs+JHE693jxgmMZufDEMvRuLl 6YiBYaM8ViFAvFSAeOkWTt0KbZ4OrdLnkDlqu91kaJ3h1+eIc6VVI/79siFGFB9R7Q+cwNKej/e g05UAqrgRcjDu40b5TFHGzgRpMppu X-Received: by 2002:a6b:2a05:: with SMTP id q5-v6mr13864938ioq.252.1525109496518; Mon, 30 Apr 2018 10:31:36 -0700 (PDT) X-Received: by 2002:a6b:2a05:: with SMTP id q5-v6mr13864910ioq.252.1525109496274; Mon, 30 Apr 2018 10:31:36 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e1-v6sm2488175ita.23.2018.04.30.10.31.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 30 Apr 2018 10:31:35 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , "David S. Miller" , Florian Fainelli , Andrew Lunn , Edward Cree , Russell King , Alan Brady , Stephen Hemminger , Eugenia Emantayev , Inbar Karmy , Vidya Sagar Ravipati , Yury Norov , Al Viro , netdev@vger.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2] ethtool: fix a potential missing-check bug Date: Mon, 30 Apr 2018 12:31:13 -0500 Message-Id: <1525109474-5595-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In ethtool_get_rxnfc(), the object "info" is firstly copied from user-space. If the FLOW_RSS flag is set in the member field flow_type of "info" (and cmd is ETHTOOL_GRXFH), info needs to be copied again from user-space because FLOW_RSS is newer and has new definition, as mentioned in the comment. However, given that the user data resides in user-space, a malicious user can race to change the data after the first copy. By doing so, the user can inject inconsistent data. For example, in the second copy, the FLOW_RSS flag could be cleared in the field flow_type of "info". In the following execution, "info" will be used in the function ops->get_rxnfc(). Such inconsistent data can potentially lead to unexpected information leakage since ops->get_rxnfc() will prepare various types of data according to flow_type, and the prepared data will be eventually copied to user-space. This inconsistent data may also cause undefined behaviors based on how ops->get_rxnfc() is implemented. This patch simply re-verifies the flow_type field of "info" after the second copy. If the value is not as expected, an error code will be returned. Signed-off-by: Wenwen Wang --- net/core/ethtool.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index 03416e6..ba02f0d 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -1032,6 +1032,11 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, info_size = sizeof(info); if (copy_from_user(&info, useraddr, info_size)) return -EFAULT; + /* Since malicious users may modify the original data, + * we need to check whether FLOW_RSS is still requested. + */ + if (!(info.flow_type & FLOW_RSS)) + return -EINVAL; } if (info.cmd == ETHTOOL_GRXCLSRLALL) { -- 2.7.4