Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3743375imm; Mon, 8 Oct 2018 08:50:12 -0700 (PDT) X-Google-Smtp-Source: ACcGV62fWUC1u5tVvGebJmyT1hW+ImybY7iElxCMuIJAxoYzo85IG0R7asUoslvsIQn2Zac91s1l X-Received: by 2002:a63:f80a:: with SMTP id n10-v6mr21893125pgh.57.1539013812699; Mon, 08 Oct 2018 08:50:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539013812; cv=none; d=google.com; s=arc-20160816; b=VmYB/+d9pqnIHmAx1gsoYHIzt90aIWVkbE3+py2D6QJn98AJdOo/k4pksKyKSGZ9ni wdTcE8nlbUSiHu+rlj9nryHyzIzT1kh7yM0aSVrwFMrgSBikFxJj62y8aQP/Xn5k8rKv woTf3UDQ8EOu5qJ9b+ngEyRmwqfXiWKo+G1F4pfmgr4SYPSxu5PpWSGVgww7wpBo9Pqd QMvMTM+E4rFWUdbfnNJwEk3+ioqO7jSIowzPy1Y6ol0wU8q129DCgUHppt4iRe9ZUxJ+ +DAMbO/NHFa4F2DZ9OVX3lpgjDfSz66D/tU5p8D0UNa4RCl8AXWbSeaXGnTGI8czH+ZW YBpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=G3hHQo/9jnZpYEQeZQbO+SwMO1g3XEusnUb2WPTA/us=; b=XrbNQWr+2TRlazrryRiuBuojqMnb9fkqqGoBStiwhQ0NUIHrWBjmUtTGNne3CLUvC9 llhZLCZftOLqIkwDs1+zF4sIHtIgwnLo0tfRa/T15/eAv5oRQO6A84sxfUGPh6cxVRP8 Wv6aW+S05EWBLOrha85UEMHqa64sLzfnvV/g4cztIVwOBPIj7MZ+0qzWrRqoWzVaSinI GWGJXCQCouEYX+3l6LQVFscXNNATmy3UqgPSwZqLgCmqlxqLno0EWj8etOTFsgEj/T3X d3wAWKjOtSbDPPpP8EezmmkLq4luGqUrczhKMEoOEy+tlywzSo7LCfvRKNNoYJT032jo 2jpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=jmhCyvZr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t19-v6si20453011pfm.152.2018.10.08.08.49.57; Mon, 08 Oct 2018 08:50:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=jmhCyvZr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726573AbeJHXCM (ORCPT + 99 others); Mon, 8 Oct 2018 19:02:12 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:36306 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726441AbeJHXCL (ORCPT ); Mon, 8 Oct 2018 19:02:11 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id EC53563A for ; Mon, 8 Oct 2018 15:49:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDIuEuPQ9FEh for ; Mon, 8 Oct 2018 10:49:48 -0500 (CDT) Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id B4B23F4F for ; Mon, 8 Oct 2018 10:49:48 -0500 (CDT) Received: by mail-io1-f69.google.com with SMTP id z15-v6so18954619iob.3 for ; Mon, 08 Oct 2018 08:49:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=G3hHQo/9jnZpYEQeZQbO+SwMO1g3XEusnUb2WPTA/us=; b=jmhCyvZrEa0pPy8ROklYbzHOGlORLRakQExGaQmP64fUpRYrQ0AKFoReJNavFBa91T LEZ2gsmP0uB4531aLGPXAQwc3uZpwq6sNbKDkCTTgxjigG9ExiXEHQs+jVspiBxqvGxj kGyPo4nzo+DJ7iR6tFK5H7UEGzW6Exd8GeLieWQTrTtINdef4f4OZDePMKEbl3111NKm 1RCQJmZMzQXTUBFbpglBoD7apZ7/Th1sxZopMgw8UwwlZ+lRWj109SnxMOhes26Nz1hy K98QzMHV64FrhjMVePO8QAxbtbwgOYcqrRmUfLfVA1Bs8ByG16VPby8HMYE/txdfsLk8 jjQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=G3hHQo/9jnZpYEQeZQbO+SwMO1g3XEusnUb2WPTA/us=; b=Wpm1iN1kFu5pxOTmY+cvaooL+QgXlEBcmMAE4OiZMz5vQU6muhTNLQjjvcchxqP5Na AiNABl4Ang6V64U9ScukZ28SYzfyS039uJnw7Trc78lMGgxnQmYijvdpduiSrlbRMhUM Yfu7KVD6JTMsxOqc3jjnJfGZpwLe3IsFN1qyTgL34oOR2c2x7uQ9SsRlRJNz8KILapR6 mBTzUt3q0X2FOBze+jpxBrhSbu2YrscU7gssz47OJwf9q4v/ug9Y39k39CZpOYs3Rk++ +nnNm9c4NM+Q4yU9RYVCyS4Cjjo8PfHk6ngJzGJzfyBurY5w/IQXyVYzBjjaAyfBrc0x hidw== X-Gm-Message-State: ABuFfogt54baIFcgNs4gV7nhWFrLIbpuujqdw5GURTQoOGgXmjESAavO bzcSHgE6s/tTuW1krV8SfnqNKIOLqhIjMqAaeVFmIguBcnEMuYsQWC7qSLONuXFi5l93o3NbDFm CiqVFLuOTxUlqhmnsPjTYN5ccRHqZ X-Received: by 2002:a24:7f52:: with SMTP id r79-v6mr13436297itc.100.1539013788321; Mon, 08 Oct 2018 08:49:48 -0700 (PDT) X-Received: by 2002:a24:7f52:: with SMTP id r79-v6mr13436286itc.100.1539013788064; Mon, 08 Oct 2018 08:49:48 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id k5-v6sm4563516ita.14.2018.10.08.08.49.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 08 Oct 2018 08:49:47 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , "David S. Miller" , Florian Fainelli , Kees Cook , Andrew Lunn , Edward Cree , Ilya Lesokhin , Yury Norov , Alan Brady , Stephen Hemminger , netdev@vger.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] ethtool: fix a privilege escalation bug Date: Mon, 8 Oct 2018 10:49:35 -0500 Message-Id: <1539013777-1625-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In dev_ethtool(), the eth command 'ethcmd' is firstly copied from the use-space buffer 'useraddr' and checked to see whether it is ETHTOOL_PERQUEUE. If yes, the sub-command 'sub_cmd' is further copied from the user space. Otherwise, 'sub_cmd' is the same as 'ethcmd'. Next, according to 'sub_cmd', a permission check is enforced through the function ns_capable(). For example, the permission check is required if 'sub_cmd' is ETHTOOL_SCOALESCE, but it is not necessary if 'sub_cmd' is ETHTOOL_GCOALESCE, as suggested in the comment "Allow some commands to be done by anyone". The following execution invokes different handlers according to 'ethcmd'. Specifically, if 'ethcmd' is ETHTOOL_PERQUEUE, ethtool_set_per_queue() is called. In ethtool_set_per_queue(), the kernel object 'per_queue_opt' is copied again from the user-space buffer 'useraddr' and 'per_queue_opt.sub_command' is used to determine which operation should be performed. Given that the buffer 'useraddr' is in the user space, a malicious user can race to change the sub-command between the two copies. In particular, the attacker can supply ETHTOOL_PERQUEUE and ETHTOOL_GCOALESCE to bypass the permission check in dev_ethtool(). Then before ethtool_set_per_queue() is called, the attacker changes ETHTOOL_GCOALESCE to ETHTOOL_SCOALESCE. In this way, the attacker can bypass the permission check and execute ETHTOOL_SCOALESCE. This patch enforces a check in ethtool_set_per_queue() after the second copy from 'useraddr'. If the sub-command is different from the one obtained in the first copy in dev_ethtool(), an error code EINVAL will be returned. Signed-off-by: Wenwen Wang --- net/core/ethtool.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index c9993c6..ccb337e 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -2462,13 +2462,17 @@ static int ethtool_set_per_queue_coalesce(struct net_device *dev, return ret; } -static int ethtool_set_per_queue(struct net_device *dev, void __user *useraddr) +static int ethtool_set_per_queue(struct net_device *dev, + void __user *useraddr, u32 sub_cmd) { struct ethtool_per_queue_op per_queue_opt; if (copy_from_user(&per_queue_opt, useraddr, sizeof(per_queue_opt))) return -EFAULT; + if (per_queue_opt.sub_command != sub_cmd) + return -EINVAL; + switch (per_queue_opt.sub_command) { case ETHTOOL_GCOALESCE: return ethtool_get_per_queue_coalesce(dev, useraddr, &per_queue_opt); @@ -2838,7 +2842,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr) rc = ethtool_get_phy_stats(dev, useraddr); break; case ETHTOOL_PERQUEUE: - rc = ethtool_set_per_queue(dev, useraddr); + rc = ethtool_set_per_queue(dev, useraddr, sub_cmd); break; case ETHTOOL_GLINKSETTINGS: rc = ethtool_get_link_ksettings(dev, useraddr); -- 2.7.4