Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1061723pxb; Sun, 19 Sep 2021 05:04:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxy1sbdEsJu+Xgd7HnAgTyuh6dmRCyN0O9xVC4kdQ61QygNCGEG90ZJvZ0Ld76MX4gLp24N X-Received: by 2002:a17:906:5010:: with SMTP id s16mr475803ejj.245.1632053042708; Sun, 19 Sep 2021 05:04:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632053042; cv=none; d=google.com; s=arc-20160816; b=oGSMgUARRNbD4gO9bBD72wjVPZF6RWV/MGLVBBACCFNyM3N9xBV064qKSvDPg1DjT9 wcmcUG/NO9c0LX+rtN03lszA+xuPwDCpB8rlg4klrUjjPOlW7k1Sq7VU3fvsJlzhe9f4 /NRDzLiJ28YEuLHVgROypAZe94h/JJbsQGjp4xTySlI9VxLsKiFREQMFvFdsQY+P61BI BM/AgcUnB41acCUsI9G5RZyqPQ5DA18PppW7qelIA7EMXB80mstrsM2W4kvHa9Tnlk9S AR1Va4vCLzSm7oE9HUbEDGPpqQIp64v4mY3KBeRlCiQrB2XDcqTeS06i9UcGetU58a90 qgyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:message-id:date:subject:to:from; bh=yOpB2KjYLugKTe7t7to9Edl0Me8ik/QF99tOQucJL7o=; b=mFXWhmQ41Az7M2KxvvyhH5vSxQXnE1XsMqLM2ghvwUCa2FKABaf0r/PstTtV8Pu3Lj lulGNGwYoFwUlJ4SCU9dzGx6FbdsCBQ2zVn2BamRmk60QMhcBauA4tAFfUBp4BKlU2Qp owZ0Jcw8vH/RHeMoySYWM5jF0fyIwfyRfDuQ2DajMfTy1IK3zQewOv9DJ11BKretayE+ IYhziYRgvKrVaSUi+2/b6EzOPPwjdbfn619y4qX035IKMsteGxaoBd/clEPtQCHn+9EO xM4Bknde1ttSfKl/9kRPWJ4qm1xt76VIxIiBCWxtq2ts308qPbFqOXyXHvmJtwkRkHU5 QcxQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j23si15963809eje.21.2021.09.19.05.03.36; Sun, 19 Sep 2021 05:04:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240771AbhISASR convert rfc822-to-8bit (ORCPT + 99 others); Sat, 18 Sep 2021 20:18:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239087AbhISASP (ORCPT ); Sat, 18 Sep 2021 20:18:15 -0400 Received: from xilka.com (bbb.xilka.com [IPv6:2001:470:1f11:5a5:16da:e9ff:fe11:e54b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 257C3C061574 for ; Sat, 18 Sep 2021 17:16:49 -0700 (PDT) Received: from comer.internal ([IPv6:2001:470:1f11:5a5:2b1b:9a83:6c1c:2916]) (authenticated bits=0) by xilka.com (8.16.1/8.16.1) with ESMTPSA id 18J0GlPC127382 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sat, 18 Sep 2021 18:16:47 -0600 From: Kelly Anderson To: linux-kernel@vger.kernel.org Subject: ethtool_get_rxnfc: Buffer overflow detected (8 < 192)! Date: Sat, 18 Sep 2021 18:16:40 -0600 Message-ID: <5756374.lOV4Wx5bFT@comer.internal> Organization: Xilka MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-2.9 required=2.5 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=4.0.0-rsvnunknown X-Spam-Checker-Version: SpamAssassin 4.0.0-rsvnunknown (svnunknown) on bbb.internal Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org New patches in 5.14.6 cause a problem in ethtool_get_rxnfc. It seems someone has allocated a variable length struct @958:ioctl.c: struct ethtool_rxnfc info. Unfortunately depending on the calls being made the struct cannot hold the variable length part of the data. Luckily the error checking caught this, otherwise it would be messing up the stack. Sep 18 15:11:27 bbb.internal kernel: Buffer overflow detected (8 < 192)! Sep 18 15:11:27 bbb.internal kernel: WARNING: CPU: 4 PID: 1434 at include/linux/thread_info.h:200 ethtool_rxnfc_copy_to_user+0x26/0xa0 Sep 18 15:11:27 bbb.internal kernel: Modules linked in: xt_CHECKSUM xt_MASQUERADE ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat ip6table_filter ip6_tables xt_tcpudp xt_set xt_LOG nf_log_syslog xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip_set_hash_ipport ip_set_list_set ip_set_hash_net ip_set_hash_ip ip_set nfnetlink amdgpu iommu_v2 gpu_sched snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi wmi_bmof mxm_wmi sp5100_tco crct10dif_pclmul ghash_clmulni_intel pcspkr fam15h_power k10temp radeon ixgbe i2c_piix4 ptp i2c_algo_bit drm_ttm_helper snd_hda_intel pps_core ttm snd_intel_dspcfg mdio snd_intel_sdw_acpi dca drm_kms_helper snd_hda_codec xhci_pci xhci_pci_renesas snd_hda_core cec snd_pcm fb_sys_fops snd_timer syscopyarea sysfillrect snd sysimgblt soundcore wmi evdev sch_fq_codel xt_limit vhost_net vhost vhost_iotlb tap tun sha512_ssse3 sha1_ssse3 sg rpcsec_gss_krb5 r8169 realtek mdio_devres libphy macvlan Sep 18 15:11:27 bbb.internal kernel: kvm_amd ccp rng_core kvm irqbypass it87 hwmon_vid hwmon msr ftdi_sio cpuid camellia_aesni_avx_x86_64 camellia_x86_64 br_netfilter bridge stp llc aesni_intel crypto_simd cryptd drm nfsd configfs ip_tables x_tables Sep 18 15:11:27 bbb.internal kernel: CPU: 4 PID: 1434 Comm: nmbd Tainted: G T 5.14.6 #1 Sep 18 15:11:27 bbb.internal kernel: Hardware name: To be filled by O.E.M. To be filled by O.E.M./SABERTOOTH 990FX R2.0, BIOS 2901 05/04/2016 Sep 18 15:11:27 bbb.internal kernel: RIP: 0010:ethtool_rxnfc_copy_to_user+0x26/0xa0 Sep 18 15:11:27 bbb.internal kernel: Code: ff 0f 1f 00 41 55 65 48 8b 04 25 00 6d 01 00 41 54 55 53 f6 40 10 02 75 23 be 08 00 00 00 48 c7 c7 68 16 30 aa e8 01 85 13 00 <0f> 0b 41 bc f2 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d c3 48 89 fb 49 Sep 18 15:11:27 bbb.internal kernel: RSP: 0018:ffffb9ca819bbb10 EFLAGS: 00010282 Sep 18 15:11:27 bbb.internal kernel: RAX: 0000000000000000 RBX: ffffffffc071a440 RCX: 0000000000000027 Sep 18 15:11:27 bbb.internal kernel: RDX: ffff9d78ded17508 RSI: 0000000000000001 RDI: ffff9d78ded17500 Sep 18 15:11:27 bbb.internal kernel: RBP: ffffb9ca819bbb40 R08: 0000000000000000 R09: ffffb9ca819bb948 Sep 18 15:11:27 bbb.internal kernel: R10: ffffb9ca819bb940 R11: ffffffffaa6beda8 R12: 0000000000000000 Sep 18 15:11:27 bbb.internal kernel: R13: 00007ffe1b458980 R14: 0000000000000000 R15: ffff9d71c7e08000 Sep 18 15:11:27 bbb.internal kernel: FS: 00007fcd84c55a40(0000) GS:ffff9d78ded00000(0000) knlGS:0000000000000000 Sep 18 15:11:27 bbb.internal kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Sep 18 15:11:27 bbb.internal kernel: CR2: 00005576720f14d8 CR3: 0000000243892000 CR4: 00000000000406e0 Sep 18 15:11:27 bbb.internal kernel: Call Trace: Sep 18 15:11:27 bbb.internal kernel: ethtool_get_rxnfc+0xce/0x1b0 Sep 18 15:11:27 bbb.internal kernel: dev_ethtool+0xc26/0x2d90 Sep 18 15:11:27 bbb.internal kernel: ? inet_ioctl+0xe5/0x210 Sep 18 15:11:27 bbb.internal kernel: dev_ioctl+0x188/0x490 Sep 18 15:11:27 bbb.internal kernel: sock_do_ioctl+0xe9/0x180 Sep 18 15:11:27 bbb.internal kernel: sock_ioctl+0x273/0x370 Sep 18 15:11:27 bbb.internal kernel: __x64_sys_ioctl+0x7c/0xb0 Sep 18 15:11:27 bbb.internal kernel: do_syscall_64+0x64/0x90 Sep 18 15:11:27 bbb.internal kernel: ? sock_alloc_file+0x56/0xa0 Sep 18 15:11:27 bbb.internal kernel: ? get_vtime_delta+0xa/0xb0 Sep 18 15:11:27 bbb.internal kernel: ? vtime_user_enter+0x17/0x70 Sep 18 15:11:27 bbb.internal kernel: ? __context_tracking_enter+0x5c/0x60 Sep 18 15:11:27 bbb.internal kernel: ? syscall_exit_to_user_mode+0x39/0x40 Sep 18 15:11:27 bbb.internal kernel: ? do_syscall_64+0x71/0x90 Sep 18 15:11:27 bbb.internal kernel: ? syscall_exit_to_user_mode+0x39/0x40 Sep 18 15:11:27 bbb.internal kernel: ? do_syscall_64+0x71/0x90 Sep 18 15:11:27 bbb.internal kernel: ? vtime_user_enter+0x17/0x70 Sep 18 15:11:27 bbb.internal kernel: ? __context_tracking_enter+0x5c/0x60 Sep 18 15:11:27 bbb.internal kernel: entry_SYSCALL_64_after_hwframe+0x44/0xae Sep 18 15:11:27 bbb.internal kernel: RIP: 0033:0x7fcd84b1a767 Sep 18 15:11:27 bbb.internal kernel: Code: 3c 1c e8 2c ff ff ff 85 c0 79 97 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 99 16 0f 00 f7 d8 64 89 01 48 Sep 18 15:11:27 bbb.internal kernel: RSP: 002b:00007ffe1b458938 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 Sep 18 15:11:27 bbb.internal kernel: RAX: ffffffffffffffda RBX: 00005576720f0160 RCX: 00007fcd84b1a767 Sep 18 15:11:27 bbb.internal kernel: RDX: 00007ffe1b458950 RSI: 0000000000008946 RDI: 000000000000000f Sep 18 15:11:27 bbb.internal kernel: RBP: 00007ffe1b458a50 R08: 0000000000000000 R09: 00007fcd84b6e070 Sep 18 15:11:27 bbb.internal kernel: R10: 0000000000000040 R11: 0000000000000246 R12: 00007ffe1b458ee8 Sep 18 15:11:27 bbb.internal kernel: R13: 00005576702c9649 R14: 00007fcd85187c40 R15: 000055767030a350 Sep 18 15:11:27 bbb.internal kernel: ---[ end trace d48f50afc5752bb2 ]---