Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp3758198imd;
        Mon, 29 Oct 2018 11:54:55 -0700 (PDT)
X-Google-Smtp-Source: AJdET5ft/sJzLAgjvu5U1IHdFJfzC449FUWKI8BWw1aw/TT1u3qeHgr2qdVgvHCPk+qxQnz6OpkR
X-Received: by 2002:a63:ce56:: with SMTP id r22-v6mr14724122pgi.217.1540839295432;
        Mon, 29 Oct 2018 11:54:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540839295; cv=none;
        d=google.com; s=arc-20160816;
        b=jdDS+FMihL5l83UPRuYYC5xAvMzc/1+kf1ubeyigBesiCEhcOayeLndQXEZ9Te6Kml
         8p2poV1X1dzDIvKdUQJ488LuHz6S9msDsOXWgwpjpdDuFCPbpppWGaxBuFeBrit7OM3s
         bTcupB4e2qLOi6eiudkp6VmImpC2GSq3UWI8E0MUKBQVvkuph4t0Ph8zhn4jm6liK7ug
         s+CRBMPOw18/2H3sLg49q7AL9QriXpLdiZ969s9DNiwd+otYU64aGngMBepYr7aJExMo
         +CkvG6KfsUgIpAkSYhsdyRtKr3EkbqTS1B4caBOfJhsdxkUyTREq8DMY9DQbXytyMkDX
         nZSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=1YK0wjCQpXRLa+eDT43pdA6pzc+NAEWjb48yPZ+oNXs=;
        b=fDM8ULP9uNtzonCEEbNDg5RNal/rF5GUam2ommZT/36JEBzsXDr5bP02YadC3dKZ7j
         yF5DJA5ei27Q6dtpmwsePcIbX+UYxLyLul6mf+qTbqCdT5RJAbFlqXJwmzw+h/PgXBK7
         Kr+MvQ72TTusJHWC9CldzUvliCQzoqMNJBlYZwIeheYtEB7X4L5DDAhjugjAldwljGgI
         6O/mkwSOctknXocV8pCZyUFVzKkVbURtQF6rFFHZtFCsEB1jMxo5+o82OyNHbo4fTISb
         nlq1BAKe1efQZEmBpd7mRtmYvKTZK9fso8I5lUaGECLoiI9kxwK1Oc62VH4BRxV3TX27
         sBsg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@umn.edu header.s=20160920 header.b=XPwjlw8p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r128-v6si4680543pfc.116.2018.10.29.11.54.39;
        Mon, 29 Oct 2018 11:54:55 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@umn.edu header.s=20160920 header.b=XPwjlw8p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729349AbeJ3DoO (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Mon, 29 Oct 2018 23:44:14 -0400
Received: from mta-p3.oit.umn.edu ([134.84.196.203]:36506 "EHLO
        mta-p3.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726364AbeJ3DoN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Oct 2018 23:44:13 -0400
Received: from localhost (localhost [127.0.0.1])
        by mta-p3.oit.umn.edu (Postfix) with ESMTP id 4989A747;
        Mon, 29 Oct 2018 18:54:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h=
        content-type:content-type:subject:subject:message-id:date:date
        :from:from:in-reply-to:references:mime-version:received:received
        :received; s=20160920; t=1540839256; x=1542653657; bh=1YK0wjCQpX
        RLa+eDT43pdA6pzc+NAEWjb48yPZ+oNXs=; b=XPwjlw8pHNrXYPFzXcdoT7+fZW
        +nQA7FAqilh0S7nic0nsO2jmdubKn9bWtBke/GtMTeWqCAaBrBJz0kCZ9zhoaSLb
        Ma6iOKXh89JGb/mE8NClRX6tNwcQD9m4tUOb5Kppgs2QeKD1eg2OXbm61Au1gL1E
        +PzDEG88poXiafNiCZeJUHnj+XAWk+QyjHYfIacfPi9QloX/r5NpBJIDzxFNWEEw
        LENRQpR+fDSQkRx51+yGP2H/9bCIQdt4T4IIC/7cFSw+pctIoDIxdCHO4hHoaE5D
        Yfq0Zy8IP4btuuKrrrWzbNmUjTCG1w8vIba6Wj9mec4y0Da3ZubRIXsg1avg==
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p3.oit.umn.edu ([127.0.0.1])
        by localhost (mta-p3.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id VPCh53mB-A3m; Mon, 29 Oct 2018 13:54:16 -0500 (CDT)
Received: from mail-it1-f175.google.com (mail-it1-f175.google.com [209.85.166.175])
        (using TLSv1 with cipher AES128-SHA (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: wang6495)
        by mta-p3.oit.umn.edu (Postfix) with ESMTPSA id 22A30125;
        Mon, 29 Oct 2018 13:54:16 -0500 (CDT)
Received: by mail-it1-f175.google.com with SMTP id e17so9227752itk.5;
        Mon, 29 Oct 2018 11:54:16 -0700 (PDT)
X-Gm-Message-State: AGRZ1gL+6YAB/vvtTJzRhEIUkh54L/gTum7k12R1sFBRuwrTgc2+U6Eh
        qniPKb7NeiVvca+61IsXsaKY05yMPTTlKpamg50=
X-Received: by 2002:a24:4f82:: with SMTP id c124-v6mr11373764itb.108.1540839255865;
 Mon, 29 Oct 2018 11:54:15 -0700 (PDT)
MIME-Version: 1.0
References: <1540051091-16604-1-git-send-email-wang6495@umn.edu> <F93F08E0-9D18-4C1A-8214-8AEAC829B317@gmail.com>
In-Reply-To: <F93F08E0-9D18-4C1A-8214-8AEAC829B317@gmail.com>
From:   Wenwen Wang <wang6495@umn.edu>
Date:   Mon, 29 Oct 2018 13:53:39 -0500
X-Gmail-Original-Message-ID: <CAAa=b7cbS0ycDF3sgXn6C9QpczLk5Sy5o-JCi66tTTGtkGoWbQ@mail.gmail.com>
Message-ID: <CAAa=b7cbS0ycDF3sgXn6C9QpczLk5Sy5o-JCi66tTTGtkGoWbQ@mail.gmail.com>
Subject: Re: [PATCH] net: socket: fix a missing-check bug
To:     f.fainelli@gmail.com
Cc:     Kangjie Lu <kjlu@umn.edu>, "David S. Miller" <davem@davemloft.net>,
        "open list:NETWORKING [GENERAL]" <netdev@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>,
        Wenwen Wang <wang6495@umn.edu>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Florian,

Thanks for your response. The bug is found with the assistance of a
research prototype, which is now not available to the public.

Yes, this is a kind of time-of-check-to-time-of-use (TOCTTOU) bug.

BTW, could you please confirm this bug? Thanks!

Wenwen

On Sat, Oct 20, 2018 at 10:21 PM Florian Fainelli <f.fainelli@gmail.com> wrote:
>
> Hi Wenwen,
>
> On October 20, 2018 8:58:10 AM PDT, Wenwen Wang <wang6495@umn.edu> wrote:
> >In ethtool_ioctl(), the ioctl command is firstly obtained from the
> >user-space buffer 'compat_rxnfc' through get_user() and saved to
> >'ethcmd'.
> >Then, 'ethcmd' is checked to see whether it is necessary to pre-process
> >the
> >ethool structure, because the structure ethtool_rxnfc is defined with
> >padding, as mentioned in the comment. If yes, a user-space buffer
> >'rxnfc'
> >is allocated through compat_alloc_user_space() and then the data in the
> >original buffer 'compat_rxnfc' is copied to 'rxnfc' through
> >copy_in_user(),
> >including the ioctl command. It is worth noting that after this copy,
> >there
> >is no check enforced on the copied ioctl command. That means it is
> >possible
> >that 'rxnfc->cmd' is different from 'ethcmd', because a malicious user
> >can
> >race to modify the ioctl command in 'compat_rxnfc' between these two
> >copies. Eventually, the ioctl command in 'rxnfc' will be used in
> >dev_ethtool(). This can cause undefined behavior of the kernel and
> >introduce potential security risk.
> >
> >This patch avoids the above issue by rewriting 'rxnfc->cmd' using
> >'ethcmd'
> >after copy_in_user().
> >
> >Signed-off-by: Wenwen Wang <wang6495@umn.edu>
>
> Assuming these issues are found with some kind of automated analysis, can you also add in your work flow to provide a Fixes: tag such that this could be backported to stable kernels?
>
> If this is found by a tool is this something that is open source and somehow available? I would also make it clear that these issues are typically named time TOCTOU which might be clearer for people who review those patches.
>
> Thanks!
> --
> Florian