Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp3758198imd; Mon, 29 Oct 2018 11:54:55 -0700 (PDT) X-Google-Smtp-Source: AJdET5ft/sJzLAgjvu5U1IHdFJfzC449FUWKI8BWw1aw/TT1u3qeHgr2qdVgvHCPk+qxQnz6OpkR X-Received: by 2002:a63:ce56:: with SMTP id r22-v6mr14724122pgi.217.1540839295432; Mon, 29 Oct 2018 11:54:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540839295; cv=none; d=google.com; s=arc-20160816; b=jdDS+FMihL5l83UPRuYYC5xAvMzc/1+kf1ubeyigBesiCEhcOayeLndQXEZ9Te6Kml 8p2poV1X1dzDIvKdUQJ488LuHz6S9msDsOXWgwpjpdDuFCPbpppWGaxBuFeBrit7OM3s bTcupB4e2qLOi6eiudkp6VmImpC2GSq3UWI8E0MUKBQVvkuph4t0Ph8zhn4jm6liK7ug s+CRBMPOw18/2H3sLg49q7AL9QriXpLdiZ969s9DNiwd+otYU64aGngMBepYr7aJExMo +CkvG6KfsUgIpAkSYhsdyRtKr3EkbqTS1B4caBOfJhsdxkUyTREq8DMY9DQbXytyMkDX nZSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=1YK0wjCQpXRLa+eDT43pdA6pzc+NAEWjb48yPZ+oNXs=; b=fDM8ULP9uNtzonCEEbNDg5RNal/rF5GUam2ommZT/36JEBzsXDr5bP02YadC3dKZ7j yF5DJA5ei27Q6dtpmwsePcIbX+UYxLyLul6mf+qTbqCdT5RJAbFlqXJwmzw+h/PgXBK7 Kr+MvQ72TTusJHWC9CldzUvliCQzoqMNJBlYZwIeheYtEB7X4L5DDAhjugjAldwljGgI 6O/mkwSOctknXocV8pCZyUFVzKkVbURtQF6rFFHZtFCsEB1jMxo5+o82OyNHbo4fTISb nlq1BAKe1efQZEmBpd7mRtmYvKTZK9fso8I5lUaGECLoiI9kxwK1Oc62VH4BRxV3TX27 sBsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=XPwjlw8p; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r128-v6si4680543pfc.116.2018.10.29.11.54.39; Mon, 29 Oct 2018 11:54:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=XPwjlw8p; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729349AbeJ3DoO (ORCPT + 99 others); Mon, 29 Oct 2018 23:44:14 -0400 Received: from mta-p3.oit.umn.edu ([134.84.196.203]:36506 "EHLO mta-p3.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726364AbeJ3DoN (ORCPT ); Mon, 29 Oct 2018 23:44:13 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p3.oit.umn.edu (Postfix) with ESMTP id 4989A747; Mon, 29 Oct 2018 18:54:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:in-reply-to:references:mime-version:received:received :received; s=20160920; t=1540839256; x=1542653657; bh=1YK0wjCQpX RLa+eDT43pdA6pzc+NAEWjb48yPZ+oNXs=; b=XPwjlw8pHNrXYPFzXcdoT7+fZW +nQA7FAqilh0S7nic0nsO2jmdubKn9bWtBke/GtMTeWqCAaBrBJz0kCZ9zhoaSLb Ma6iOKXh89JGb/mE8NClRX6tNwcQD9m4tUOb5Kppgs2QeKD1eg2OXbm61Au1gL1E +PzDEG88poXiafNiCZeJUHnj+XAWk+QyjHYfIacfPi9QloX/r5NpBJIDzxFNWEEw LENRQpR+fDSQkRx51+yGP2H/9bCIQdt4T4IIC/7cFSw+pctIoDIxdCHO4hHoaE5D Yfq0Zy8IP4btuuKrrrWzbNmUjTCG1w8vIba6Wj9mec4y0Da3ZubRIXsg1avg== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p3.oit.umn.edu ([127.0.0.1]) by localhost (mta-p3.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPCh53mB-A3m; Mon, 29 Oct 2018 13:54:16 -0500 (CDT) Received: from mail-it1-f175.google.com (mail-it1-f175.google.com [209.85.166.175]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p3.oit.umn.edu (Postfix) with ESMTPSA id 22A30125; Mon, 29 Oct 2018 13:54:16 -0500 (CDT) Received: by mail-it1-f175.google.com with SMTP id e17so9227752itk.5; Mon, 29 Oct 2018 11:54:16 -0700 (PDT) X-Gm-Message-State: AGRZ1gL+6YAB/vvtTJzRhEIUkh54L/gTum7k12R1sFBRuwrTgc2+U6Eh qniPKb7NeiVvca+61IsXsaKY05yMPTTlKpamg50= X-Received: by 2002:a24:4f82:: with SMTP id c124-v6mr11373764itb.108.1540839255865; Mon, 29 Oct 2018 11:54:15 -0700 (PDT) MIME-Version: 1.0 References: <1540051091-16604-1-git-send-email-wang6495@umn.edu> In-Reply-To: From: Wenwen Wang Date: Mon, 29 Oct 2018 13:53:39 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] net: socket: fix a missing-check bug To: f.fainelli@gmail.com Cc: Kangjie Lu , "David S. Miller" , "open list:NETWORKING [GENERAL]" , open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Florian, Thanks for your response. The bug is found with the assistance of a research prototype, which is now not available to the public. Yes, this is a kind of time-of-check-to-time-of-use (TOCTTOU) bug. BTW, could you please confirm this bug? Thanks! Wenwen On Sat, Oct 20, 2018 at 10:21 PM Florian Fainelli wrote: > > Hi Wenwen, > > On October 20, 2018 8:58:10 AM PDT, Wenwen Wang wrote: > >In ethtool_ioctl(), the ioctl command is firstly obtained from the > >user-space buffer 'compat_rxnfc' through get_user() and saved to > >'ethcmd'. > >Then, 'ethcmd' is checked to see whether it is necessary to pre-process > >the > >ethool structure, because the structure ethtool_rxnfc is defined with > >padding, as mentioned in the comment. If yes, a user-space buffer > >'rxnfc' > >is allocated through compat_alloc_user_space() and then the data in the > >original buffer 'compat_rxnfc' is copied to 'rxnfc' through > >copy_in_user(), > >including the ioctl command. It is worth noting that after this copy, > >there > >is no check enforced on the copied ioctl command. That means it is > >possible > >that 'rxnfc->cmd' is different from 'ethcmd', because a malicious user > >can > >race to modify the ioctl command in 'compat_rxnfc' between these two > >copies. Eventually, the ioctl command in 'rxnfc' will be used in > >dev_ethtool(). This can cause undefined behavior of the kernel and > >introduce potential security risk. > > > >This patch avoids the above issue by rewriting 'rxnfc->cmd' using > >'ethcmd' > >after copy_in_user(). > > > >Signed-off-by: Wenwen Wang > > Assuming these issues are found with some kind of automated analysis, can you also add in your work flow to provide a Fixes: tag such that this could be backported to stable kernels? > > If this is found by a tool is this something that is open source and somehow available? I would also make it clear that these issues are typically named time TOCTOU which might be clearer for people who review those patches. > > Thanks! > -- > Florian