Received: by 10.192.165.148 with SMTP id m20csp5236057imm; Tue, 1 May 2018 11:19:57 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrUVgzsJ3M2C8PcyJ2bzacfpfTWmO9r99OP7YHNBzQDJ+tlSYL7L1CsCqva2NtZPSFPNOnc X-Received: by 10.98.74.136 with SMTP id c8mr16613302pfj.23.1525198797087; Tue, 01 May 2018 11:19:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525198797; cv=none; d=google.com; s=arc-20160816; b=IhyDOcAqWcxVhA6pNmnTaKOAB5P5Hr3JuiQ3cuCQUMQJaffKRbQjSsJY/FXAW9Pli8 5ht2QufgXdADXnhe459rWaLyFo5w7HVWzTLRyZHj5pHHCZHlLWo1qspy/zye54PvYZFS 5hs8cw7kFbrmqiuVNnhbQbSlaKQeBFdaLygc2NXos++3Y18kzmi119cIuA+q+BC2+4u2 WkOQ5jk2RxcyTTYB387fsdWUctcqwdKm6/yy37nWf2Ek38XWMHRJX7XtRZnDRDeQgJu2 4WAd8hlZLtO8Y3nVS+zwjqZ3122DSMBGC5117U0rjX/g+TADFdz3kiLBavkNdfsBhjRp baBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=xDwVrBp/ER2u9jB6hufmlEEquq5C+JH/I1731FHLRs0=; b=00WkrIZ0QSc7Nzdyka9iPe1iVXynbv+kVuT43tSibaLdbehyF6f50MEKcyxGQt1Nvt 1eK+lKy54Ui9rgLp4MEtQiahrFx7LhY9dHkqklp146I/wHR5J1a6n1c63qjd3I8jONIz hV8/rnlE+CklYliONflv51AQWciKRDcAZ7yY0FDUxgJrONdzU9RzXxG7bRI1dlzVWdLK RFyq1qSL8ik8fSoBl7TBgqX/QkUyQUCiDR6/2mTSEBhBdSSQu7x6Lw5JwDuD3fuBt1BG /gQFPjzI0o7wGMXbfqYHcqZOySLZU///CZwtasasIpPA6tdun4VJDeDPCpakFcTNVxre p5PA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4-v6si8341571pgn.260.2018.05.01.11.19.42; Tue, 01 May 2018 11:19:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756481AbeEASTe (ORCPT + 99 others); Tue, 1 May 2018 14:19:34 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:48468 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756333AbeEASTc (ORCPT ); Tue, 1 May 2018 14:19:32 -0400 Received: from localhost (67.110.78.66.ptr.us.xo.net [67.110.78.66]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id E965513416B92; Tue, 1 May 2018 11:19:30 -0700 (PDT) Date: Tue, 01 May 2018 14:19:30 -0400 (EDT) Message-Id: <20180501.141930.969764198768375676.davem@davemloft.net> To: wang6495@umn.edu Cc: kjlu@umn.edu, f.fainelli@gmail.com, andrew@lunn.ch, ecree@solarflare.com, rmk+kernel@armlinux.org.uk, alan.brady@intel.com, stephen@networkplumber.org, eugenia@mellanox.com, inbark@mellanox.com, vidya.chowdary@gmail.com, ynorov@caviumnetworks.com, viro@zeniv.linux.org.uk, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] ethtool: fix a potential missing-check bug From: David Miller In-Reply-To: <1525109474-5595-1-git-send-email-wang6495@umn.edu> References: <1525109474-5595-1-git-send-email-wang6495@umn.edu> X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 01 May 2018 11:19:32 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wenwen Wang Date: Mon, 30 Apr 2018 12:31:13 -0500 > In ethtool_get_rxnfc(), the object "info" is firstly copied from > user-space. If the FLOW_RSS flag is set in the member field flow_type of > "info" (and cmd is ETHTOOL_GRXFH), info needs to be copied again from > user-space because FLOW_RSS is newer and has new definition, as mentioned > in the comment. However, given that the user data resides in user-space, a > malicious user can race to change the data after the first copy. By doing > so, the user can inject inconsistent data. For example, in the second > copy, the FLOW_RSS flag could be cleared in the field flow_type of "info". > In the following execution, "info" will be used in the function > ops->get_rxnfc(). Such inconsistent data can potentially lead to unexpected > information leakage since ops->get_rxnfc() will prepare various types of > data according to flow_type, and the prepared data will be eventually > copied to user-space. This inconsistent data may also cause undefined > behaviors based on how ops->get_rxnfc() is implemented. > > This patch simply re-verifies the flow_type field of "info" after the > second copy. If the value is not as expected, an error code will be > returned. > > Signed-off-by: Wenwen Wang Applied, thanks.