Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp790257imm;
        Fri, 5 Oct 2018 11:49:43 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60gG65FXOC6gXzad1fXYKxprc7+CYtdRGUIJSI32oCGuN/f8VjMypyg38AENbDi3FS5YmIB
X-Received: by 2002:a17:902:447:: with SMTP id 65-v6mr12753671ple.325.1538765383736;
        Fri, 05 Oct 2018 11:49:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538765383; cv=none;
        d=google.com; s=arc-20160816;
        b=ypv1PTqYilHOnumO6emxV3xlJ3Rj6yhvrmIvs53OvUyJfLOvuud6Yhwy+4mKwqF940
         E4MrCJc0++gGEnZb4XkeCzWsr6HRnWIpPIui9pxYlgb3UNarEQOOINWvj6/OiR6S80FB
         xpkoqV1LtXLb+uYPGV5OpVKVCPfoIQw0mh5aQ/tugX33tlQ+7MZ645/6XIrYKxsO/3I0
         BGzf4jQ7B87N6OoYHKrqtCJIjak3X2Zmc48nKGUlJVSDfSxKXQNX+bFTbUoQD7AQx3RM
         9Cg2Y2HSxa/gy2Nla3pr0jC+kS2UrliTcaV8mPxlFrisXim76uaJOXgNVZzMo+Lu/20I
         34EA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:from:subject:cc:to:message-id:date;
        bh=3d8UOURlxhZ3/vapJq25mas2L/rTFqQTjSVzTFfcz20=;
        b=rBD/KkEsvS/2++Jh97kWN8Ww9CaEcQ4li6yAVp8YokL4h+uB6QsDRGUZwQbM0teVZ6
         itSFrpmxfbUfl36cuDyfBxbou93q6HN70P1h8DmufAYbuPwz05EBaG81ZbUNQfdQQlzQ
         3tD60gJi4uueWodJJpTVxDTqtCvsksxAS/2+d56zTeKaEBOg2D5xfnuNYHLhrflTMZ4I
         6z2ELyxz1T/Tx+dYCKv8DZP4uo23j8Dpy/GCQETuiKPuNPrFM+uWQwQ/kwqvRqhIt/YQ
         BFAAHGpa6z6Dp8KcQbLwUW4IlC9lWdd58UIwJygop3ow5k1HmA1PoOjCEUYFStUESet5
         4GzQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g69-v6si9295528pfc.284.2018.10.05.11.49.28;
        Fri, 05 Oct 2018 11:49:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729194AbeJFBrh (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Fri, 5 Oct 2018 21:47:37 -0400
Received: from shards.monkeyblade.net ([23.128.96.9]:44252 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728510AbeJFBrh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Oct 2018 21:47:37 -0400
Received: from localhost (c-67-183-145-105.hsd1.wa.comcast.net [67.183.145.105])
        (using TLSv1 with cipher AES256-SHA (256/256 bits))
        (Client did not present a certificate)
        (Authenticated sender: davem-davemloft)
        by shards.monkeyblade.net (Postfix) with ESMTPSA id 484E813ADF96D;
        Fri,  5 Oct 2018 11:47:38 -0700 (PDT)
Date:   Fri, 05 Oct 2018 11:47:35 -0700 (PDT)
Message-Id: <20181005.114735.1078401743683539709.davem@davemloft.net>
To:     wang6495@umn.edu
Cc:     kjlu@umn.edu, santosh@chelsio.com, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: cxgb3_main: fix a missing-check bug
From:   David Miller <davem@davemloft.net>
In-Reply-To: <1538747307-21403-1-git-send-email-wang6495@umn.edu>
References: <1538747307-21403-1-git-send-email-wang6495@umn.edu>
X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 05 Oct 2018 11:47:38 -0700 (PDT)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Wenwen Wang <wang6495@umn.edu>
Date: Fri,  5 Oct 2018 08:48:27 -0500

> In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
> the user-space buffer 'useraddr' to 'cmd' and checked through the
> switch statement. If the command is not as expected, an error code
> EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
> switch statement, the whole buffer of 'useraddr' is copied again to a
> specific data structure, according to what kind of command is requested.
> However, after the second copy, there is no re-check on the newly-copied
> command. Given that the buffer 'useraddr' is in the user space, a malicious
> user can race to change the command between the two copies. By doing so,
> the attacker can supply malicious data to the kernel and cause undefined
> behavior.
> 
> This patch adds a re-check in each case of the switch statement if there is
> a second copy in that case, to re-check whether the command obtained in the
> second copy is the same as the one in the first copy. If not, an error code
> EINVAL is returned.
> 
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>

Applied.