Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3265894ybi; Mon, 10 Jun 2019 07:24:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqwFwlps3puNM5F8O+s2qf054zwjSKAuuIyW23t/qbwjlE9AAOswfHTxtpj4J+9tshPX6vbe X-Received: by 2002:aa7:8219:: with SMTP id k25mr76923581pfi.38.1560176654668; Mon, 10 Jun 2019 07:24:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560176654; cv=none; d=google.com; s=arc-20160816; b=002GPP/TkoeV/uEdKaryTRjQyt52oiFy3A0lnBywo5YlxQNj7iF4AmgV7hDCdjeHIN 7RGSGbW7wJF/BW6UJiVulqfAPQ+MaO1QtcG0HMqvKvFEvz5uMAviBL6QzN8Fql+yR526 YnPX1EonqlFugt/iXwmmI4OhLY6xHGu0fJIpUcZBJc1TkkCdenywY1/d+AVIM2f1Q2En wsFtTpamatJxHCb8fE5J1AwbXzkqnEaZdYv0zaCKtWRAQIRNs/BhWhoAomCyrCAuuvsA cLWRe5opa13LhWzpdAAHy+qoXGc0KnRUJUPbTBd8rZwm0dqTcgaFaFpgiDHuqqsN1SRm 6j1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=VSZ2ZuXDVJsQvgfrET3V0VvJhLk0jBe3F2eoIhkfyRA=; b=JRHtfTBv2JpSLmg6/9QsIgC765l4pAQblqhu1vqsS9NvgPh5Ei95K6ONMTEKLdjc2J +5NQ7UIlY+Fu+rBnGU2Yd7BYgK65+QbGcozNmnLGbB7neACNo2JQvI559VOKrIzKS93N pJXmoQjFww5+ldunlORmJ5h4PGiJnreNVlyLuaYeVBxDkgjnlGnX/qfrwwdffaj4oCLr hhm7a5+06s7btib7qL6tJN7UdpZidF82aA/ZGrMc5S/e5vx7Iibxr19q2Jqf5isKKXwt OvRr15fD4gOR7JoWfhpFyLFeyPR32+rm1ZiQd1679i1JLGcBQDGxPLW3DF4LlHDDi32Q BEIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qd8G1NTb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a14si10438739pga.567.2019.06.10.07.23.58; Mon, 10 Jun 2019 07:24:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qd8G1NTb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403837AbfFJOX1 (ORCPT + 99 others); Mon, 10 Jun 2019 10:23:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:55034 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403788AbfFJOX0 (ORCPT ); Mon, 10 Jun 2019 10:23:26 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5F54B207E0; Mon, 10 Jun 2019 14:23:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560176605; bh=A90YY0XScEWebv7Wa6OalV1D5wbhdju9RVpdpcHWqU4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qd8G1NTbPOEvGugSZVmVm8H25EuH9qwztLE4UVT+TXnRwkifwY6An3zPfp13vG0/q UafexcVizdk1Sri1xgonAcETAjX5qzFGy/MYIsa/ZlWCkXxSHcCzpw8c00bso+xHcL 6V/z90ocdyGAKeLAjCWXPSOFEdGIIVfNM2x5pD3w= Date: Mon, 10 Jun 2019 16:23:23 +0200 From: Greg Kroah-Hartman To: Michal Kubecek Cc: stable@vger.kernel.org, Pavel Machek , linux-kernel@vger.kernel.org, Vivien Didelot , "David S. Miller" Subject: Re: [PATCH 4.19 01/51] ethtool: fix potential userspace buffer overflow Message-ID: <20190610142323.GD5937@kroah.com> References: <20190609164127.123076536@linuxfoundation.org> <20190609164127.215699992@linuxfoundation.org> <20190610082112.GA8783@amd> <20190610084229.GA31797@unicorn.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190610084229.GA31797@unicorn.suse.cz> User-Agent: Mutt/1.12.0 (2019-05-25) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 10, 2019 at 10:42:29AM +0200, Michal Kubecek wrote: > On Mon, Jun 10, 2019 at 10:21:12AM +0200, Pavel Machek wrote: > > Hi! > > > > > From: Vivien Didelot > > > > > > [ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ] > > > > > > ethtool_get_regs() allocates a buffer of size ops->get_regs_len(), > > > and pass it to the kernel driver via ops->get_regs() for filling. > > > > > > There is no restriction about what the kernel drivers can or cannot do > > > with the open ethtool_regs structure. They usually set regs->version > > > and ignore regs->len or set it to the same size as ops->get_regs_len(). > > > > > > But if userspace allocates a smaller buffer for the registers dump, > > > we would cause a userspace buffer overflow in the final copy_to_user() > > > call, which uses the regs.len value potentially reset by the driver. > > > > > > To fix this, make this case obvious and store regs.len before calling > > > ops->get_regs(), to only copy as much data as requested by userspace, > > > up to the value returned by ops->get_regs_len(). > > > > > > While at it, remove the redundant check for non-null regbuf. > > > > Mainline differs from 4.19-stable here, and while the non-null check > > is redundant in -mainline, it does not seem to be redundant in > > -stable. > > > > In stable, if get_regs_len() returns < 0, we'll pass it to vzalloc. > > Right. :-( > > I guess we should also pick commit f9fc54d313fa ("ethtool: check the > return value of get_regs_len") to stable branches before 5.0. Now queued up, thanks. greg k-h