Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp5057593imm; Tue, 9 Oct 2018 09:05:35 -0700 (PDT) X-Google-Smtp-Source: ACcGV61xCiltvuFh0WrKAPOylMI8OXEibxGcmV9OQ/iCk/56y/hrCOH1hoSoniQfabv/SXX1XYJV X-Received: by 2002:a63:a362:: with SMTP id v34-v6mr26702455pgn.261.1539101135358; Tue, 09 Oct 2018 09:05:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539101135; cv=none; d=google.com; s=arc-20160816; b=Jl7mcLfjFf6PlAyv7tEbHz5Wh0h5y6Vl6LZ4nSCOURUj9D30mqOyFHE44jbXx8scO8 M0XrcUh6CDOVTnQay5SEIc54qdwUPCRycQFh6d8hgl2I5oUphBIMC0eum2VZe/FfIUDo FbWsAkQj6TR57r+UwJG1R0zFshX6qvkl2giIw/8Wqt01yEX2dijJpnOYuru20gAlf3F0 622u9annRzcJdO/x8OlkGTFE3Q1ffFD1bPLR6yD670aytTjQAt3q8Th3b1Ow86Vf6AkQ hd9bFZbh0GUhbVa9LeMAZcSgw0J+YGvfARfkrUsfhJvF3B2VVL1OGev/EJBL5c7wYDGy bprQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=JQa/ifOdl0uN/9e+oGRCpQ8sVfUsWSqF44sDcpuxcQw=; b=VRoOW9zruB/iYdP2qD605BHmN9mRDMV5Gwg7zl5fKx6FaHFT1zUHZnHbigxj6BQKvp gvYLHQnVjIN9anLlStA/45cr33meo9C6t887kNF3E2UvorSgrT2qRMH52gyAtoKGd6af rjXlN0LkXPiS6L73HA4nO8G6FEJgqQKi5hgevXrgQ8/jKQfEsERIaIc26RNxNQYEKfCt bRy5DFbc9wa7tiMeLNfg9gRN4lJAlNw/wCTGyOxP+K8FaE3aOFaYWLCxL6ueXkuY+X8e nrV1qHNIgHpLbTuwVCFD4O6yNKICJ7b/WT298bT394OT+3HchkPA+DJRTAv7VgXdOzz3 J2mA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 204-v6si24245076pfx.155.2018.10.09.09.05.20; Tue, 09 Oct 2018 09:05:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727103AbeJIXWC (ORCPT + 99 others); Tue, 9 Oct 2018 19:22:02 -0400 Received: from mx2.suse.de ([195.135.220.15]:51374 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726445AbeJIXWC (ORCPT ); Tue, 9 Oct 2018 19:22:02 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 0A030B06E; Tue, 9 Oct 2018 16:04:23 +0000 (UTC) Received: by unicorn.suse.cz (Postfix, from userid 1000) id C7368A1041; Tue, 9 Oct 2018 18:04:21 +0200 (CEST) Date: Tue, 9 Oct 2018 18:04:21 +0200 From: Michal Kubecek To: Wenwen Wang Cc: Kangjie Lu , "David S. Miller" , Florian Fainelli , Kees Cook , Ilya Lesokhin , Edward Cree , Yury Norov , Alan Brady , Eugenia Emantayev , Stephen Hemminger , "open list:NETWORKING [GENERAL]" , open list Subject: Re: [PATCH] ethtool: fix a missing-check bug Message-ID: <20181009160421.GC9504@unicorn.suse.cz> References: <1539090940-5323-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1539090940-5323-1-git-send-email-wang6495@umn.edu> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 09, 2018 at 08:15:38AM -0500, Wenwen Wang wrote: > In ethtool_get_rxnfc(), the eth command 'cmd' is compared against > 'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable > 'info_size'. Then the whole structure of 'info' is copied from the > user-space buffer 'useraddr' with 'info_size' bytes. In the following > execution, 'info' may be copied again from the buffer 'useraddr' depending > on the 'cmd' and the 'info.flow_type'. However, after these two copies, > there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also > copied from the buffer 'useraddr' in dev_ethtool(), which is the caller > function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user > space, a malicious user can race to change the eth command in the buffer > between these copies. By doing so, the attacker can supply inconsistent > data and cause undefined behavior because in the following execution 'info' > will be passed to ops->get_rxnfc(). Do you have an example how userspace could abuse the race to make kernel do something bad which it couldn't with the patch? I could think of only two or three potentially problematic scenarios: 1. Userspace changes cmd to a value which would not have been dispatched into ethtool_get_rxnfc() otherwise. While this is unfortunate, existing in-tree ethtool::get_rxnfc() handlers would only return -EOPNOTSUPP or -EINVAL in such case so no harm done. 2. Userspace uses ETHTOOL_GRXFH with FLOW_RSS not set in flow_type but then switches cmd to other subcommand so that ethtool_ops::get_rxnfc() handler is called with only partially initialized info and some garbage in the rest. However, unless this new cmd is completely wrong (case 1 above), userspace could have sent exactly the same garbage directly. 3. The "garbage" might be leftover data which could leak into userspace on return. However, as ethtool_get_rxnfc() would still use "short" value of info_size, it would have to leak indirectly by affecting the value of info.flow_type or info.data which seems rather theoretical. Did I miss something? I don't want to say that the check shouldn't be added, I'm just not convinced that the reasoning in commit message is correct. Michal Kubecek > > This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that > they are still same after the two copies in ethtool_get_rxnfc(). Otherwise, > an error code EINVAL will be returned. > > Signed-off-by: Wenwen Wang > --- > net/core/ethtool.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/core/ethtool.c b/net/core/ethtool.c > index c9993c6..0136625 100644 > --- a/net/core/ethtool.c > +++ b/net/core/ethtool.c > @@ -1015,6 +1015,9 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, > return -EINVAL; > } > > + if (info.cmd != cmd) > + return -EINVAL; > + > if (info.cmd == ETHTOOL_GRXCLSRLALL) { > if (info.rule_cnt > 0) { > if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) > -- > 2.7.4 >