Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3901180imm;
        Mon, 8 Oct 2018 11:23:05 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61ypYB9WYOfe2WgEJz3B1+lXJ3ri6aCo8GPLMzKR6PgNAMGHQZmggE4DL0/oI3tcNqKR40i
X-Received: by 2002:a62:9951:: with SMTP id d78-v6mr25997408pfe.239.1539022985883;
        Mon, 08 Oct 2018 11:23:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539022985; cv=none;
        d=google.com; s=arc-20160816;
        b=HPO5Z12WNTo7eXrXMa9kw2ek+LW5Aj1+rDhpfR9ZJA/77GN0ajYxXFTECtc0JPv2gI
         2aPbI1E1LLvg+NiSDDSbOgI4Ccwt6H5et4r6RJpPhmM+sLytoevAKuuO4ECS0TA+EFoc
         GGOg4LsK7yJOgD9/hydJHhjQYPPbHSMHopyWdzkVMTGRGvkqWar+SwllxrHuh7F4A47U
         naVRKctZJ/CLCSoDYZWMNBnK8FYtQtBodvbNNiszp1iROxPTCt9rUuxcXCcxcM8kwwoM
         Okp4Ao8HekSuPpDBQjiz6hYZ9IYrTqhTB+W654/TG9pNh+YEYtwOyZqf08d6tn2E3OLv
         CUdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=maXFHwbSO53+26xYgXBjX+RqqJ7FnMCmM0MU4Ph9lEk=;
        b=PTsF2k/QK+sDrKfJzAGM1Ui5qen1TYySD+AwG8iOFWot+5djpBJEl/dd/6xK8X+PsM
         lxctrg2MR13rhyKSz86DmWKVuCoAd8YuUhTywOsRh5AQCAeESHiqvq9X227GzTuYcpIk
         Jf8OCFW6+hEbxpKitfyrSMqA5FzK0y881lgH/R1Rui/d6MFcvdrzQdIi5Drvwbztyn7K
         m+Xf86Vn4PJsP0+7xONelIxhtiGolLA9vf77ieTwR6ef3saqUcc6M6ttsw0ZORMcoiNW
         lNDWX/9xvW1Y8rZ5mpeCsr+7OEJC5E23lFGuGC+VLIqUYhfHCPg7l1ZJdjd144fogVnh
         EhXQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 12-v6si15106627pgd.191.2018.10.08.11.22.51;
        Mon, 08 Oct 2018 11:23:05 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726569AbeJIBdA (ORCPT <rfc822;jandrusk@gmail.com> + 99 others);
        Mon, 8 Oct 2018 21:33:00 -0400
Received: from mx2.suse.de ([195.135.220.15]:42946 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726291AbeJIBdA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Oct 2018 21:33:00 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id 238B2AFCB;
        Mon,  8 Oct 2018 18:20:00 +0000 (UTC)
Received: by unicorn.suse.cz (Postfix, from userid 1000)
        id D7271A0A65; Mon,  8 Oct 2018 20:19:58 +0200 (CEST)
Date:   Mon, 8 Oct 2018 20:19:58 +0200
From:   Michal Kubecek <mkubecek@suse.cz>
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>, "David S. Miller" <davem@davemloft.net>,
        Florian Fainelli <f.fainelli@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Andrew Lunn <andrew@lunn.ch>,
        Edward Cree <ecree@solarflare.com>,
        Ilya Lesokhin <ilyal@mellanox.com>,
        Yury Norov <ynorov@caviumnetworks.com>,
        Alan Brady <alan.brady@intel.com>,
        Stephen Hemminger <stephen@networkplumber.org>,
        "open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ethtool: fix a privilege escalation bug
Message-ID: <20181008181958.GB9504@unicorn.suse.cz>
References: <1539013777-1625-1-git-send-email-wang6495@umn.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1539013777-1625-1-git-send-email-wang6495@umn.edu>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Oct 08, 2018 at 10:49:35AM -0500, Wenwen Wang wrote:
> In dev_ethtool(), the eth command 'ethcmd' is firstly copied from the
> use-space buffer 'useraddr' and checked to see whether it is
> ETHTOOL_PERQUEUE. If yes, the sub-command 'sub_cmd' is further copied from
> the user space. Otherwise, 'sub_cmd' is the same as 'ethcmd'. Next,
> according to 'sub_cmd', a permission check is enforced through the function
> ns_capable(). For example, the permission check is required if 'sub_cmd' is
> ETHTOOL_SCOALESCE, but it is not necessary if 'sub_cmd' is
> ETHTOOL_GCOALESCE, as suggested in the comment "Allow some commands to be
> done by anyone". The following execution invokes different handlers
> according to 'ethcmd'. Specifically, if 'ethcmd' is ETHTOOL_PERQUEUE,
> ethtool_set_per_queue() is called. In ethtool_set_per_queue(), the kernel
> object 'per_queue_opt' is copied again from the user-space buffer
> 'useraddr' and 'per_queue_opt.sub_command' is used to determine which
> operation should be performed. Given that the buffer 'useraddr' is in the
> user space, a malicious user can race to change the sub-command between the
> two copies. In particular, the attacker can supply ETHTOOL_PERQUEUE and
> ETHTOOL_GCOALESCE to bypass the permission check in dev_ethtool(). Then
> before ethtool_set_per_queue() is called, the attacker changes
> ETHTOOL_GCOALESCE to ETHTOOL_SCOALESCE. In this way, the attacker can
> bypass the permission check and execute ETHTOOL_SCOALESCE.
> 
> This patch enforces a check in ethtool_set_per_queue() after the second
> copy from 'useraddr'. If the sub-command is different from the one obtained
> in the first copy in dev_ethtool(), an error code EINVAL will be returned.
> 

Fixes: f38d138a7da6 ("net/ethtool: support set coalesce per queue")

> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
>  net/core/ethtool.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index c9993c6..ccb337e 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -2462,13 +2462,17 @@ static int ethtool_set_per_queue_coalesce(struct net_device *dev,
>  	return ret;
>  }
>  
> -static int ethtool_set_per_queue(struct net_device *dev, void __user *useraddr)
> +static int ethtool_set_per_queue(struct net_device *dev,
> +				 void __user *useraddr, u32 sub_cmd)
>  {
>  	struct ethtool_per_queue_op per_queue_opt;
>  
>  	if (copy_from_user(&per_queue_opt, useraddr, sizeof(per_queue_opt)))
>  		return -EFAULT;
>  
> +	if (per_queue_opt.sub_command != sub_cmd)
> +		return -EINVAL;
> +
>  	switch (per_queue_opt.sub_command) {
>  	case ETHTOOL_GCOALESCE:
>  		return ethtool_get_per_queue_coalesce(dev, useraddr, &per_queue_opt);
> @@ -2838,7 +2842,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
>  		rc = ethtool_get_phy_stats(dev, useraddr);
>  		break;
>  	case ETHTOOL_PERQUEUE:
> -		rc = ethtool_set_per_queue(dev, useraddr);
> +		rc = ethtool_set_per_queue(dev, useraddr, sub_cmd);
>  		break;
>  	case ETHTOOL_GLINKSETTINGS:
>  		rc = ethtool_get_link_ksettings(dev, useraddr);
> -- 
> 2.7.4
>