Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2455963imd; Fri, 2 Nov 2018 11:42:34 -0700 (PDT) X-Google-Smtp-Source: AJdET5dbMgL6B/zhBlOhKwg5MYt0vShPz7OLRwzIxVK+WfO/q7ph1xFtcss/pZ9Qpr2HtaZwpA6r X-Received: by 2002:a63:a16:: with SMTP id 22mr11952512pgk.318.1541184154217; Fri, 02 Nov 2018 11:42:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541184154; cv=none; d=google.com; s=arc-20160816; b=bTEDBdkv+mUZ/r57rBs5bCKQNHx5gYb8QoLGo2i48m1FokJ4RBcmaw1UxQpCmI0nCC XMJxzYwqxYHlGhDLCNPHFiO672302b0qR/tupvs2RbEccx3roSKhgubbJ372idQAHWpK JU6t0PjLCfJJbPK6lRsX9l62eK0YpQwpp/mhMLSJFTq0uXM/bHOByowT49MAzuVG1tGm 9fJ2l7FVFzGdw1p+Spnv+LK9mQBPxAoSHZlA3J61hxxbsBfqhGcSPZpKzBIKdsAumDiF 0J0D2x2B6EYwn2LbmHyq50u0gzGbLWreLeIHSMxSe1TzJvc5bndnW0lJ9wMj8kBv985D GRJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6mGAIuWpkgSDYErmKVT/ro6zmmOTIo0nlR5GxDgtNqE=; b=uqeCdNxUeZntJc7nXmGGd4SKZEllF8H+u+oUkE1oHgOt2lKGyuKZtGULzhbTe9j3F2 CtM1rc5aLV8mmOcExx7lSAFSqUuQbPjXM0gDYpnJQUtgsJh6heEmmqOeaNw21WRBOcgg 6X6rEaI92JAM8ZtFQfboiVuV/rBIYnPE/l5NRPNGv5B9Ny/tJbN9O39pW8lo+seigYqT ERnRm7w0DiGHN24cvv8nwQd3OPcsRTYRppGfPUHIAaLB5sy29igR/dDKeS8aKE5atx6y a59fbfjelap25M5mdTwaT/lVzZP8Qe5HCx88HKcOMrgPT2o7KmmSMlFmGQc9TowqcNZj 7liw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kaQGKWon; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b13-v6si4219565plm.316.2018.11.02.11.42.19; Fri, 02 Nov 2018 11:42:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kaQGKWon; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729500AbeKCDtR (ORCPT + 99 others); Fri, 2 Nov 2018 23:49:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:43810 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728441AbeKCDtQ (ORCPT ); Fri, 2 Nov 2018 23:49:16 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CB76A2082E; Fri, 2 Nov 2018 18:41:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541184064; bh=7uLkhREWPuKlk62nb2fQ+QmbCXXqx7VD+R4v5OuCm1w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kaQGKWonfgvE4zqmEBmCFOWRnfHkCKj83/RETc6xt/fyyANYF2Lk2Sm7Lk3fU7OLs UMY8WHWzl9JrZN0di93Y9EOPfsRtUe5RbMCmbSSkY9AFHgrqXIgCc1A3XNbXs1hy4w kbpYBe3MZAKxKZo//2GFyY4Vdwd0qAXVs+yaB26o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wenwen Wang , "David S. Miller" , Sasha Levin Subject: [PATCH 4.18 068/150] net: cxgb3_main: fix a missing-check bug Date: Fri, 2 Nov 2018 19:33:50 +0100 Message-Id: <20181102182908.353528945@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182902.250560510@linuxfoundation.org> References: <20181102182902.250560510@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ] In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from the user-space buffer 'useraddr' to 'cmd' and checked through the switch statement. If the command is not as expected, an error code EOPNOTSUPP is returned. In the following execution, i.e., the cases of the switch statement, the whole buffer of 'useraddr' is copied again to a specific data structure, according to what kind of command is requested. However, after the second copy, there is no re-check on the newly-copied command. Given that the buffer 'useraddr' is in the user space, a malicious user can race to change the command between the two copies. By doing so, the attacker can supply malicious data to the kernel and cause undefined behavior. This patch adds a re-check in each case of the switch statement if there is a second copy in that case, to re-check whether the command obtained in the second copy is the same as the one in the first copy. If not, an error code EINVAL is returned. Signed-off-by: Wenwen Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c index a19172dbe6be..c34ea385fe4a 100644 --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c @@ -2159,6 +2159,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EPERM; if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_SET_QSET_PARAMS) + return -EINVAL; if (t.qset_idx >= SGE_QSETS) return -EINVAL; if (!in_range(t.intr_lat, 0, M_NEWTIMER) || @@ -2258,6 +2260,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_GET_QSET_PARAMS) + return -EINVAL; + /* Display qsets for all ports when offload enabled */ if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) { q1 = 0; @@ -2303,6 +2308,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EBUSY; if (copy_from_user(&edata, useraddr, sizeof(edata))) return -EFAULT; + if (edata.cmd != CHELSIO_SET_QSET_NUM) + return -EINVAL; if (edata.val < 1 || (edata.val > 1 && !(adapter->flags & USING_MSIX))) return -EINVAL; @@ -2343,6 +2350,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EPERM; if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_LOAD_FW) + return -EINVAL; /* Check t.len sanity ? */ fw_data = memdup_user(useraddr + sizeof(t), t.len); if (IS_ERR(fw_data)) @@ -2366,6 +2375,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EBUSY; if (copy_from_user(&m, useraddr, sizeof(m))) return -EFAULT; + if (m.cmd != CHELSIO_SETMTUTAB) + return -EINVAL; if (m.nmtus != NMTUS) return -EINVAL; if (m.mtus[0] < 81) /* accommodate SACK */ @@ -2407,6 +2418,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EBUSY; if (copy_from_user(&m, useraddr, sizeof(m))) return -EFAULT; + if (m.cmd != CHELSIO_SET_PM) + return -EINVAL; if (!is_power_of_2(m.rx_pg_sz) || !is_power_of_2(m.tx_pg_sz)) return -EINVAL; /* not power of 2 */ @@ -2440,6 +2453,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EIO; /* need the memory controllers */ if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_GET_MEM) + return -EINVAL; if ((t.addr & 7) || (t.len & 7)) return -EINVAL; if (t.mem_id == MEM_CM) @@ -2492,6 +2507,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EAGAIN; if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_SET_TRACE_FILTER) + return -EINVAL; tp = (const struct trace_params *)&t.sip; if (t.config_tx) -- 2.17.1