Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp488411ybl; Tue, 28 Jan 2020 06:44:43 -0800 (PST) X-Google-Smtp-Source: APXvYqwopxI8BzSBCkwayHxbE7Mf2bZDK4uXz2VV5ZIqU+OabGEfhpIJnWYpge7mfs52MtQwoyjk X-Received: by 2002:a54:450d:: with SMTP id l13mr3106027oil.117.1580222683817; Tue, 28 Jan 2020 06:44:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580222683; cv=none; d=google.com; s=arc-20160816; b=yV0ol0z3u9Ao8ltEMf/c6n3txxvW/fgmNfalW2/ybaQYZTpHpjObFWBp5KzteNcPo9 lIAcS43/5N75NgQyKqE4QDutEipELDn3O+BSy8U/zU8GZ3jK1Okko5jrxGCv7IsXxfyT X9GcQTcWwF+EOvDfjqUx+QlQWg8H1fyx8aaj8h8TKuUZk9azEOOSSHXrSS9SW216GeWj vnj3GmU6BzqHzq+SlImCzvDxFeXctEfPRsvFagWjW3rf3wwcSpfditmSc/EdV+CCPQCD 6YrE5ZJmG3QiS9/4y7jb/cqy8oOq6+ljNjrv937n4qOkrPfVvpAuXAwC6UU5EQAE5zM8 AV2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yZGzT2OgduoWopDwkuEDUK5xCM0ugRFBrjVfEGXJwGw=; b=A6NghUu/bvFTVVrV/ciZ3fINfS2Bro3544d/2VR/HWYiorFNJYjKawbAOG+zD7XUNS b7SiUE/YaDDt9mWGciXkoiQuUov0H/jaM5SFVavlywnBYjRwaJkJZJoI9y7ve2yASlA5 3CH67o8wmJ0tnHWV3eU0BfPFXaICCYvp1gHe+YtC4C2LdZRYZ0KGz4wYEimRl8xbBHLV RqaYIQ2eirW4ZmxdWl4xMVevsimuK2LidWsUqOtKy/r6WwAv6PwAW2lpEPxWaXE6EEfH UzhuFL4K3vxCgFlQ3A1gY3ZlL6wphI1e0B3dA5BquGOhApe3OLKAiH/bhypQ/uPWMlvV dp9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A900aITC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p7si7624347otl.17.2020.01.28.06.44.31; Tue, 28 Jan 2020 06:44:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A900aITC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726651AbgA1Ol5 (ORCPT + 99 others); Tue, 28 Jan 2020 09:41:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:35486 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729465AbgA1ONo (ORCPT ); Tue, 28 Jan 2020 09:13:44 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 145EA2469F; Tue, 28 Jan 2020 14:13:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580220823; bh=s/BuiSSY5Ix20OsSRVrpCV/xwK8+GzGwp4/WdzVuPcU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A900aITCtaSlKiuvejQdJeg6Za9Ulo0ovu8yFL7TkjB/kadjee7lJKQayP5HjodMO aQP6fnd/41ec9FlGmoHzkyOqauynMZE24CXmzlsNV3zPvkTt95SnIfO35yowJrl3MG QfYb2TXARCSxJPHhXYmEtNdKBJ2gl+Y3T+oQAlgs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ilja Van Sprundel , Michael Ellerman , "David S. Miller" Subject: [PATCH 4.4 162/183] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM Date: Tue, 28 Jan 2020 15:06:21 +0100 Message-Id: <20200128135845.878970643@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200128135829.486060649@linuxfoundation.org> References: <20200128135829.486060649@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Michael Ellerman [ Upstream commit 3546d8f1bbe992488ed91592cf6bf76e7114791a = The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in cxgb_extension_ioctl(). One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears to read memory directly out of the adapter and return it to userspace. It's not entirely clear what the contents of the adapter memory contains, but the assumption is that it shouldn't be accessible to all users. So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after the is_offload() check, which matches two of the other subcommands in the same function which also check for is_offload() and CAP_NET_ADMIN. Found by Ilja by code inspection, not tested as I don't have the required hardware. Reported-by: Ilja Van Sprundel Signed-off-by: Michael Ellerman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c @@ -2437,6 +2437,8 @@ static int cxgb_extension_ioctl(struct n if (!is_offload(adapter)) return -EOPNOTSUPP; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; if (!(adapter->flags & FULL_INIT_DONE)) return -EIO; /* need the memory controllers */ if (copy_from_user(&t, useraddr, sizeof(t)))