Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp50707imu; Thu, 8 Nov 2018 14:35:43 -0800 (PST) X-Google-Smtp-Source: AJdET5cY/DZA8WmeNEJVgPM5VAReSIuV6yV0G1gjJSb9C9ZdMI+F2pUiMO84Q7gr9IvMjpCBY7FV X-Received: by 2002:a63:cf0e:: with SMTP id j14-v6mr5359465pgg.195.1541716543481; Thu, 08 Nov 2018 14:35:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541716543; cv=none; d=google.com; s=arc-20160816; b=yf7qzUN465Jj6FVwOGYiBlqAa6DDE992k9CdAMXFb4rKd5Afa+3d1Nl9AW3pgVkc7N pJININdAxghwvPzOB0p8CxJiO0TH1ho1ruz5nnc9LH7zqK3k1mc3dJLckGibdAOJNQoC 4vxVGck/kKTeG7pCjHzhEvDcQ5m3KC70YUFctxeSm9z/8CPyL46v4z5FOjc6gGSnpVuK w+CcAe23HyIsuvpcRD78erJv972q/E23AhSINNMigs8w3pBvRt+/78Ynzkfz+x1YLCId baxX62UqrA3Jbv/d9hA92ZF+7+Gu3TsYCrT2LMuxgdVbFXB81HSJ0O3iA7fznxiwsBVh Dpvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fY/1i1sD3BENHWAnOsx9DQgiXxyhpwg1p4irPqrJlw4=; b=nEs7aA5Yf9HIAyBan35nNl/uSSlFjKyx36NULRXdQOdS1oe9JjFBkJOuCHt1N+WN7u E0AfbH23bf5XryVq3KkaXx1VtWHtL+g5wWNIRO54hIA055VRdJI2wZFWQeUV4kMM1yW3 qY6ZUhuJUBwSAqYwrVb95qj4Z9GTU2B7heEgiqmmfuTfIp+PxEGMAePl5COCJaU3wkH9 kzAqIpRrkojV+b8TbeA1AqKpA7Kam+uaLpGXN3jbYhvhnR/D+dy88YQ8e/uGqTfSInyb WQmvFQqtRGeq0m3r29wgBp2aEgY2mGkoe3598TPayYoR+2xz/XI2/95ka+4uc91QE5nT 2jAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=S5jVgRZJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u19-v6si5956053pfj.137.2018.11.08.14.35.27; Thu, 08 Nov 2018 14:35:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=S5jVgRZJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730068AbeKIHhH (ORCPT + 99 others); Fri, 9 Nov 2018 02:37:07 -0500 Received: from mail.kernel.org ([198.145.29.99]:54848 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728724AbeKIHhG (ORCPT ); Fri, 9 Nov 2018 02:37:06 -0500 Received: from localhost (unknown [208.72.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9472420989; Thu, 8 Nov 2018 21:59:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541714377; bh=fGuriN+AE+GRU4Nvbpzgbi8I89IL0VLy1PoHQI9z2CY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S5jVgRZJ5jVsPOfDyWjxajGz2sNNVopjt9tmCTlk2USfDE/aM4GsvEBx5DS7aYg/T aTIHt5jdC84OfiUpmp/vgfSi1iJRRXPCVZvUdlJfC8PaF0gHNb/0bVK8ycbxMsmvkA yby8jvMkq8tQsinTBbsQbaoeIpm4cSNLXOiJvQpo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wenwen Wang , "David S. Miller" , Sasha Levin Subject: [PATCH 4.4 018/114] net: cxgb3_main: fix a missing-check bug Date: Thu, 8 Nov 2018 13:50:33 -0800 Message-Id: <20181108215100.824875692@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181108215059.051093652@linuxfoundation.org> References: <20181108215059.051093652@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ] In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from the user-space buffer 'useraddr' to 'cmd' and checked through the switch statement. If the command is not as expected, an error code EOPNOTSUPP is returned. In the following execution, i.e., the cases of the switch statement, the whole buffer of 'useraddr' is copied again to a specific data structure, according to what kind of command is requested. However, after the second copy, there is no re-check on the newly-copied command. Given that the buffer 'useraddr' is in the user space, a malicious user can race to change the command between the two copies. By doing so, the attacker can supply malicious data to the kernel and cause undefined behavior. This patch adds a re-check in each case of the switch statement if there is a second copy in that case, to re-check whether the command obtained in the second copy is the same as the one in the first copy. If not, an error code EINVAL is returned. Signed-off-by: Wenwen Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c index 7ae8374bff13..3dd4c39640dc 100644 --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c @@ -2147,6 +2147,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EPERM; if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_SET_QSET_PARAMS) + return -EINVAL; if (t.qset_idx >= SGE_QSETS) return -EINVAL; if (!in_range(t.intr_lat, 0, M_NEWTIMER) || @@ -2246,6 +2248,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_GET_QSET_PARAMS) + return -EINVAL; + /* Display qsets for all ports when offload enabled */ if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) { q1 = 0; @@ -2291,6 +2296,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EBUSY; if (copy_from_user(&edata, useraddr, sizeof(edata))) return -EFAULT; + if (edata.cmd != CHELSIO_SET_QSET_NUM) + return -EINVAL; if (edata.val < 1 || (edata.val > 1 && !(adapter->flags & USING_MSIX))) return -EINVAL; @@ -2331,6 +2338,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EPERM; if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_LOAD_FW) + return -EINVAL; /* Check t.len sanity ? */ fw_data = memdup_user(useraddr + sizeof(t), t.len); if (IS_ERR(fw_data)) @@ -2354,6 +2363,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EBUSY; if (copy_from_user(&m, useraddr, sizeof(m))) return -EFAULT; + if (m.cmd != CHELSIO_SETMTUTAB) + return -EINVAL; if (m.nmtus != NMTUS) return -EINVAL; if (m.mtus[0] < 81) /* accommodate SACK */ @@ -2395,6 +2406,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EBUSY; if (copy_from_user(&m, useraddr, sizeof(m))) return -EFAULT; + if (m.cmd != CHELSIO_SET_PM) + return -EINVAL; if (!is_power_of_2(m.rx_pg_sz) || !is_power_of_2(m.tx_pg_sz)) return -EINVAL; /* not power of 2 */ @@ -2428,6 +2441,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EIO; /* need the memory controllers */ if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_GET_MEM) + return -EINVAL; if ((t.addr & 7) || (t.len & 7)) return -EINVAL; if (t.mem_id == MEM_CM) @@ -2480,6 +2495,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) return -EAGAIN; if (copy_from_user(&t, useraddr, sizeof(t))) return -EFAULT; + if (t.cmd != CHELSIO_SET_TRACE_FILTER) + return -EINVAL; tp = (const struct trace_params *)&t.sip; if (t.config_tx) -- 2.17.1