Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4720119imm; Mon, 15 Oct 2018 21:40:11 -0700 (PDT) X-Google-Smtp-Source: ACcGV60vOFE37VxPQhX40ow+xQrVIZVCNCq4VKau/m5L0w7cp2hwrf7+M6UPKf7y6OW1Za4VlIx/ X-Received: by 2002:a65:45c9:: with SMTP id m9-v6mr18400289pgr.212.1539664811494; Mon, 15 Oct 2018 21:40:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539664811; cv=none; d=google.com; s=arc-20160816; b=aUSH/UNPy+7tU2CnyVUr6AuDgOsXOx2Tk3nnT0V4ISfLRiCCZ7/7stOj5jQ7Jsj2le 8rQmxbJ4MHbQeol3YGK0hOylAyWCDIZL/q8PWOwaIVYEQoRwRdlzPP10cTx7fih8z910 E3uGiWygqnNYKboCa9v5sO6s6ZcWQ1kaqEuQWp75Ydk7tNAyh2hNsRKmQdE5A5WP+P1Z pshgSWY6cytMhUs7y1yTQyu69dURKIyFFUmSZfXOjmXeC1mqsDi9s6F2PC5UsEdy7R5f z+259AxQmP5nQzs273BrSTJbDpvXDvJc3Drs5e/PWshhPfwELOD6D9NXJicAjy8bv2og do5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=i4o+k2SVEyHrH5LXwWMW7PTEcPwVpQhW0XvZNtFkNdU=; b=wDQJvkkk2ttr0KvsoliwodVQN8oKDBzj8yHG+xZ480tvk3svwD8l9LRVVd8EyINon6 HkM9QpdPCgu2Je8qrXxxa35I/jpcEigMylkcNYjxLxZJWlDWhYhD9nzT8azrUepdGM2b xxLI997f2nq2GqSnWWHYkOX4uWR+33Oy+fagPYbajQVeJZ11yLHx7wEV2/pUoEVqHYZw 7oVSNo4PvgIw85yFAGGNWtDxuzPhr4NVNamXh8/Iemaw486RypzVIi9+DflQie6dkFfg DgGJATWORfKX0sFHRlfi+kJ0+9CKpqhlt4PByfoSWa6CsDzqc0dYZSvKSg8ucV8eO3eY ZPRQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z64-v6si13117548pgd.201.2018.10.15.21.39.55; Mon, 15 Oct 2018 21:40:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727522AbeJPM16 (ORCPT + 99 others); Tue, 16 Oct 2018 08:27:58 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:42976 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726780AbeJPM16 (ORCPT ); Tue, 16 Oct 2018 08:27:58 -0400 Received: from localhost (c-67-183-62-245.hsd1.wa.comcast.net [67.183.62.245]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id B8DC014513042; Mon, 15 Oct 2018 21:39:28 -0700 (PDT) Date: Mon, 15 Oct 2018 21:39:28 -0700 (PDT) Message-Id: <20181015.213928.1979135633281436819.davem@davemloft.net> To: wang6495@umn.edu Cc: kjlu@umn.edu, f.fainelli@gmail.com, keescook@chromium.org, ilyal@mellanox.com, ecree@solarflare.com, ynorov@caviumnetworks.com, alan.brady@intel.com, eugenia@mellanox.com, stephen@networkplumber.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] ethtool: fix a missing-check bug From: David Miller In-Reply-To: <1539090940-5323-1-git-send-email-wang6495@umn.edu> References: <1539090940-5323-1-git-send-email-wang6495@umn.edu> X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Mon, 15 Oct 2018 21:39:29 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wenwen Wang Date: Tue, 9 Oct 2018 08:15:38 -0500 > In ethtool_get_rxnfc(), the eth command 'cmd' is compared against > 'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable > 'info_size'. Then the whole structure of 'info' is copied from the > user-space buffer 'useraddr' with 'info_size' bytes. In the following > execution, 'info' may be copied again from the buffer 'useraddr' depending > on the 'cmd' and the 'info.flow_type'. However, after these two copies, > there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also > copied from the buffer 'useraddr' in dev_ethtool(), which is the caller > function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user > space, a malicious user can race to change the eth command in the buffer > between these copies. By doing so, the attacker can supply inconsistent > data and cause undefined behavior because in the following execution 'info' > will be passed to ops->get_rxnfc(). > > This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that > they are still same after the two copies in ethtool_get_rxnfc(). Otherwise, > an error code EINVAL will be returned. > > Signed-off-by: Wenwen Wang Applied.