Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4853037imm; Tue, 9 Oct 2018 06:18:08 -0700 (PDT) X-Google-Smtp-Source: ACcGV61jknaqQEBCkAw4vkQHdAFAYp4sWaTOst7pr/wiqDuh3cYKwzypLIRqS0ASa6XZUohmFUTJ X-Received: by 2002:a17:902:2f41:: with SMTP id s59-v6mr28407568plb.240.1539091088100; Tue, 09 Oct 2018 06:18:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539091088; cv=none; d=google.com; s=arc-20160816; b=VW/0dAw23D2T6vfB0Vy1bhD+yTrFPVaoKDaAF/72wOz6NsY5Ajsexp+RFvxszDOo0j udIgZK1niLA9RMvJXMH6y8lgMfo+7llowrH7QTxxGI80UBjLLvjfPpfPHUcXPVKvJ3zo nCeUjPjVoeoh8YdLjR6OWDhRJ9O1vtpxli2fD4gpvbU1h5dcc/PPz/WM62wtS6COan/7 +53dxSfJbWzia0KbOlebUJxXXihAxmCuGFvCB/fHt6MpGVbZtDpGcuDKsoGqWANuiZxx G2MHxht7Vs1EYHZt10tVyR8sN3aGj4g4t5r+X0/2ItB/QXXTSTIq+Bi0Hj66Ft0A5hxP QgOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=G6GdFpGDi92tAkLEZ9SDpsTjy0DPhqdhrYIdQ0RWPlc=; b=eXZoMfW8FFfUu5op0QN05hZLZz/C++jjWut2pWDkfKd18ZVGmv8XkyaB6XBkszVPFr x1ccBTsea3rklamAn8lVMubpQhD3CSj4oImRnAPA6dmKgexIg7IBjEiUHdlqkTjdw4z1 sfeVR/k3xtha0a9Ph/IoxWuDOC4AvC3xxRzcTu8olHOTRnBqEgLw1np1lNia9x2Fy5p0 D0DcN6sRhFoFMPbBbDqmWKGzQzitWmVgFOF/KZdav1kkxp7gaEtPY4dh6RAdHSoLGPP6 iiA9x3ZRI7oQJthrWcqhhyRD1F1jgcWUn+0uENcz273uLbLEHr7KINQMLsHJprmt1UpW vHpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=oUDip3cv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b8-v6si13129193ple.411.2018.10.09.06.17.53; Tue, 09 Oct 2018 06:18:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=oUDip3cv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726695AbeJIUcs (ORCPT + 99 others); Tue, 9 Oct 2018 16:32:48 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:35298 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726481AbeJIUcq (ORCPT ); Tue, 9 Oct 2018 16:32:46 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 6348510A1 for ; Tue, 9 Oct 2018 13:15:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Mph6G_qD-ir for ; Tue, 9 Oct 2018 08:15:51 -0500 (CDT) Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 3AC22F19 for ; Tue, 9 Oct 2018 08:15:51 -0500 (CDT) Received: by mail-io1-f69.google.com with SMTP id s15-v6so1297450iob.11 for ; Tue, 09 Oct 2018 06:15:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=G6GdFpGDi92tAkLEZ9SDpsTjy0DPhqdhrYIdQ0RWPlc=; b=oUDip3cvTxxRgOwiSdvtUp7gX4hcBQ4VIdeBhCMHleoEQI4K45rUHMUNaWxSm2WZUF G2Ig0rEQQPex9sh4zTo4vC5Ha+VMTrBALRX7AUsMU2tADHZDRVnyjoagcDoWFn2I5afa uMeciT+tHQ91ln/0FY5fvLcrvLhTq5wy9z7eBl8u4T31v044D0wI7iFvGZd/sLeAMk9L hWSOt4eziXcRmVcTOsox17KveQkYLLzuobl1D0C3GpsNUFxRxXf7LAcGJuGwzNYC/Y5C P70v5mbuI/PhQwW6O7rnueOezywwXRYoCcbrYq9HbQB6tNZRkYytNFsPnsLOnYUX+mTb oEBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=G6GdFpGDi92tAkLEZ9SDpsTjy0DPhqdhrYIdQ0RWPlc=; b=RjRMhNjwEteQtyS/J0NhwmdEDDkE3co4sL4mkQys7JqDEnjuGU+Q9eMohj0fyRCIiy 64s3lyhdPqE0WpYZqPdenO0sGhSKMZHQw0VHKmzwNXQwEcT4DImAjpTwSVRoq9jJsptl Lov8h38e6gTpBgEMjO+CzWoQWgPwxCU+O5qaCtE4DrwuEKLAUCbvTI/FeRT09WkzACQ/ rnaNNg0fNcRN+Td0fIyohfXutBCSUaPyHWmNHbSID4ovzA9nxoo5Iq0qR4SSEYLmBFPB Dzg/XdsWyBDGMdFQ2qxURNyOfJOYVAe++X+NJo+YNoVJlaHaBon1tQ4rHakFwcMa6y8V lYzg== X-Gm-Message-State: ABuFfoiukeYiDvyHitLkUBBNy9x9pODHPl28dT58PPBTnerQyHeledlm tE8S2/U98S7IwTjEEzKKJxCv3Z+8JvAjwChbRIZCrBl+lRqhQtO7rlWko4U1dxuvutvvuQTIhv7 AUzqKdwtwC/QV8xIrabl2oUzu4M8q X-Received: by 2002:a02:1e07:: with SMTP id m7-v6mr22157317jad.128.1539090950653; Tue, 09 Oct 2018 06:15:50 -0700 (PDT) X-Received: by 2002:a02:1e07:: with SMTP id m7-v6mr22157290jad.128.1539090950417; Tue, 09 Oct 2018 06:15:50 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id j19-v6sm7156782itb.25.2018.10.09.06.15.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 Oct 2018 06:15:49 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , "David S. Miller" , Florian Fainelli , Kees Cook , Ilya Lesokhin , Edward Cree , Yury Norov , Alan Brady , Eugenia Emantayev , Stephen Hemminger , netdev@vger.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] ethtool: fix a missing-check bug Date: Tue, 9 Oct 2018 08:15:38 -0500 Message-Id: <1539090940-5323-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In ethtool_get_rxnfc(), the eth command 'cmd' is compared against 'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable 'info_size'. Then the whole structure of 'info' is copied from the user-space buffer 'useraddr' with 'info_size' bytes. In the following execution, 'info' may be copied again from the buffer 'useraddr' depending on the 'cmd' and the 'info.flow_type'. However, after these two copies, there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also copied from the buffer 'useraddr' in dev_ethtool(), which is the caller function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user space, a malicious user can race to change the eth command in the buffer between these copies. By doing so, the attacker can supply inconsistent data and cause undefined behavior because in the following execution 'info' will be passed to ops->get_rxnfc(). This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that they are still same after the two copies in ethtool_get_rxnfc(). Otherwise, an error code EINVAL will be returned. Signed-off-by: Wenwen Wang --- net/core/ethtool.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index c9993c6..0136625 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -1015,6 +1015,9 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, return -EINVAL; } + if (info.cmd != cmd) + return -EINVAL; + if (info.cmd == ETHTOOL_GRXCLSRLALL) { if (info.rule_cnt > 0) { if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) -- 2.7.4