Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2530986imm; Thu, 18 Oct 2018 16:44:46 -0700 (PDT) X-Google-Smtp-Source: ACcGV602W17yv9JsHxAuvffmssaw6BJ9etvmuzUD86oqLnTpIPsKTd3vRLqT+XJbt0QJID1Vyzf/ X-Received: by 2002:a65:648f:: with SMTP id e15-v6mr31143659pgv.250.1539906286919; Thu, 18 Oct 2018 16:44:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539906286; cv=none; d=google.com; s=arc-20160816; b=YHu87RQF0lt7xw8TDTx9n0Mm7mes/lR/7LF6g49YtxbF5Qr72K3zJmploO6RJQZ3W/ v8u4dL9ZtwmoklnlcuNZaubKqEb5oZXGJRwRGAnrPtBf8T3PPV5iByHEPrdrG61Cyn0X dk1ZMjAjURAM1b4OgEbsy7I0fhP+0vHxrExSgcRExCkjyA/6/M9lWUEiyG8o3U+k7Twa U/yfOKpVYcwklaQBx/Bw8XsHhv8qzQHuaS/kvOqvnqoFas16qSdVBcgOXpmX17dCbWQ3 0+BXs3fsMOotOi24TLEor151HvTjw9mgo+VlNcMwikbJkj3BIhp8/6Wx5XzMuo1piWzN +0Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=Gh31sqYqoyo0YyvnBwQQeTP8J9qv1y/apwphrJmD+wY=; b=q7KN8r38E+eMM/g+mDr1R0A8v8MTcVgg84o0tRQjT7UQj//8eLciDBDxIFD7LVVfga 52kfeRfcNyWxFYAbTvH+nXk0ux+JDU5CoJXtrl7ksjq8kKFIz2kKH2qK30qkBLD0NnYg +J9sqdW5pwVK3Vn3xnqe+FLP+vTo0XrDmYBp0lxHEcPyASZkeZzFsYPq5pIQ+EiqaRIF NJ+L+xQlP2wYhoCl/NcDdaOJ4PrrUwhm2thRfi8ouLq8W0D600mqLbWxpIgotn5IQAW1 Yj466DKYfwIVnwyGG2i4ik0clN+Yxcmtsqg0vKEDXwLB5H7Qj+O7Fv16SIKWHto9csEH mWAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z6-v6si21836005pln.287.2018.10.18.16.44.29; Thu, 18 Oct 2018 16:44:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726976AbeJSHrL (ORCPT + 99 others); Fri, 19 Oct 2018 03:47:11 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:42886 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726245AbeJSHrL (ORCPT ); Fri, 19 Oct 2018 03:47:11 -0400 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::cf9]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id F1DFC140A72D5; Thu, 18 Oct 2018 16:43:50 -0700 (PDT) Date: Thu, 18 Oct 2018 16:43:50 -0700 (PDT) Message-Id: <20181018.164350.528381990407930636.davem@davemloft.net> To: wang6495@umn.edu Cc: kjlu@umn.edu, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] net: socket: fix a missing-check bug From: David Miller In-Reply-To: <1539873406-5967-1-git-send-email-wang6495@umn.edu> References: <1539873406-5967-1-git-send-email-wang6495@umn.edu> X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 18 Oct 2018 16:43:51 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wenwen Wang Date: Thu, 18 Oct 2018 09:36:46 -0500 > In ethtool_ioctl(), the ioctl command 'ethcmd' is checked through a switch > statement to see whether it is necessary to pre-process the ethtool > structure, because, as mentioned in the comment, the structure > ethtool_rxnfc is defined with padding. If yes, a user-space buffer 'rxnfc' > is allocated through compat_alloc_user_space(). One thing to note here is > that, if 'ethcmd' is ETHTOOL_GRXCLSRLALL, the size of the buffer 'rxnfc' is > partially determined by 'rule_cnt', which is actually acquired from the > user-space buffer 'compat_rxnfc', i.e., 'compat_rxnfc->rule_cnt', through > get_user(). After 'rxnfc' is allocated, the data in the original user-space > buffer 'compat_rxnfc' is then copied to 'rxnfc' through copy_in_user(), > including the 'rule_cnt' field. However, after this copy, no check is > re-enforced on 'rxnfc->rule_cnt'. So it is possible that a malicious user > race to change the value in the 'compat_rxnfc->rule_cnt' between these two > copies. Through this way, the attacker can bypass the previous check on > 'rule_cnt' and inject malicious data. This can cause undefined behavior of > the kernel and introduce potential security risk. > > This patch avoids the above issue via copying the value acquired by > get_user() to 'rxnfc->rule_cn', if 'ethcmd' is ETHTOOL_GRXCLSRLALL. > > Signed-off-by: Wenwen Wang This isn't pretty, but I can't come up with a better fix. Note that we check and validate the rule count value even a third time when we copy the rules back out to userspace. Applied and queued up for -stable, thank you.