Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2424282rwd; Fri, 2 Jun 2023 09:11:32 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7DKe3avQuzpfJSUO9+CkKctFBEgyjv3+LKq+k8i67vZpdrUVoj+9rtOJ4x49B6iOBH6xtS X-Received: by 2002:a05:6a00:1355:b0:643:b330:4b78 with SMTP id k21-20020a056a00135500b00643b3304b78mr11739231pfu.14.1685722291766; Fri, 02 Jun 2023 09:11:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685722291; cv=none; d=google.com; s=arc-20160816; b=gT0pTEHdiybyNrP8+7Pkaba7IsF20aUf0ubnGLZxbS0XlEhXizJeZwer1VI+sZ+afN TUdiT6YBj2oJkCLyrisPk4VnaYEeBbVAei0yYsxkWMQBNzDXb/DTDw4FCWFBqu8AkQEx I6eI+GUuzUjreIWtSwp6qQxWQUlEFSIu1VSqgyV5EyiMbB8o7D9gKjc7cdEg1vYQRijZ Rt/PwJrOm/l7o+hUrXg5hZj8rAaRydZEoXV6qjHqnqFIic4aCW7O79vXA2HUkOc/jmKR 6crJLn25SsI+uvKebf2HwZVwtjeDpl3sREwNOXZx1WsErkpDkd3uOrEcMhwHn8GfpKrQ XyKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=xuDfprJrboRzf5u1uDrS/dCv7LltA39eqMpcIyjhXRQ=; b=xVJxN7mGWjYY9Y0RhmQ3oM78soezRhUsZhJvq2iEsyhukEFkF0L6jnxXA1IqdkUxrV AsClr88cdEg+hH2mk63B7NDzMA9GItbsCh+8fghxhz6Rpal2XRCXYajjRvS88GJuVRML eSF8QZMq33TUlzy9tnNtMrehPpM05EAh1U6TzwuQrc1TxjvlhzGTc11f2mtxO+TaHB54 Rlf81xZhW4VJuwpHvX9nx7ExUVxzJeKZ2jbepcQ6b9CpDtTKwNiqRV/gvkN7SQwMT6tD tsBBVSoRxJxOPO6G2t6SDyyztSZ4fUe7rruz2kfvW0v9MAlxWpN6aaBSdE7PCdjQChcf 5qVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=dqnjDk+P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x6-20020a626306000000b00640f04eb325si929944pfb.229.2023.06.02.09.11.19; Fri, 02 Jun 2023 09:11:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=dqnjDk+P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236197AbjFBQCP (ORCPT + 99 others); Fri, 2 Jun 2023 12:02:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59436 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234027AbjFBQCM (ORCPT ); Fri, 2 Jun 2023 12:02:12 -0400 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C0BB1BB; Fri, 2 Jun 2023 09:02:11 -0700 (PDT) Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-256766a1c43so1048763a91.1; Fri, 02 Jun 2023 09:02:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685721731; x=1688313731; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xuDfprJrboRzf5u1uDrS/dCv7LltA39eqMpcIyjhXRQ=; b=dqnjDk+PySEns2fwhB8Ipf8F9D/wNK95+O1S6L5P+K2jN8qo1z5RZj4DqIMTiidEtj HZj1RorvCbyvVgoN5bP0F2rg13OoBLm+OQDDcDYH8L2x1DLCvonHORbUXSeg3sKtA27k 1zuSbrqnZ/gbBLgAVOTlhlHDihas2E1fyhqVXQ75/fWo6EQ6VcE23xETUrD/8prYj/QT 1OQNNba2SD5lBAjTe77HW7K09EdXlnUEJe39ctBGCEk4Pl/NPL/VvwqkMF62CNnPy3cY hP46xM2IHW+2ekr0q7Spe6/v4VH0t3WY12KZw20kTkN+3H5OBPh59msu6YSfn8lhY6Fq I9mA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685721731; x=1688313731; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xuDfprJrboRzf5u1uDrS/dCv7LltA39eqMpcIyjhXRQ=; b=drncCoQ5CXaQGk5RG8du6vrkGrUXcmmXkhkHaXY1EDEvOeBqifm1SeG0lDiRrHhylp tN2eJKbow3IiCRB1N8MoQ/6mzWVeY3t7ys/hPV1t/lWL//GjJY8Mw9ls4JLdDFr52hZr 4aWHuFjyGwFs+Y0ljzmNwnwinjKhgCBY2q0qTAOxO1ZHxYikdpF6yLkz/lu2lO8bSyQj uS/yXhrCD71LfsWZ+2rXoyKkTWfti4cgqPGVW2bPRiI+1pf9/3ltiqnRB5s6tPGpM9vX F0EtkL5t8uShAmnA600itwmGForuxDWVLF/Ze53AS9YkPwgPbJbUXGOwtohvBk7LAbPp mm0A== X-Gm-Message-State: AC+VfDy5x8jQ+9Xmvgfwl/2omL08/u+CDARVYWivdrNO8MtR5anJRe18 /JAa1hdr2cWacqnZLjbOgyecLZxSCluaHUjmCkXqwCur X-Received: by 2002:a17:90b:1003:b0:253:360a:f6b with SMTP id gm3-20020a17090b100300b00253360a0f6bmr342713pjb.13.1685721730887; Fri, 02 Jun 2023 09:02:10 -0700 (PDT) MIME-Version: 1.0 References: <20230601112839.13799-1-dinghui@sangfor.com.cn> <135a45b2c388fbaf9db4620cb01b95230709b9ac.camel@gmail.com> <6110cf9f-c10e-4b9b-934d-8d202b7f5794@lunn.ch> <6e28cea9-d615-449d-9c68-aa155efc8444@lunn.ch> In-Reply-To: <6e28cea9-d615-449d-9c68-aa155efc8444@lunn.ch> From: Alexander Duyck Date: Fri, 2 Jun 2023 09:01:34 -0700 Message-ID: Subject: Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user To: Andrew Lunn Cc: Ding Hui , davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, pengdonglin@sangfor.com.cn, huangcun@sangfor.com.cn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 2, 2023 at 8:42=E2=80=AFAM Andrew Lunn wrote: > > > > Also, RTNL should be held during the time both calls are made into th= e > > > driver. So nothing from userspace should be able to get in the middle > > > of these calls to change the number of queues. > > > > > > > The RTNL lock is already be held during every each ioctl in dev_ethtool= (). > > > > rtnl_lock(); > > rc =3D __dev_ethtool(net, ifr, useraddr, ethcmd, state); > > rtnl_unlock(); > > Yes, exactly. So the kernel should be safe from buffer overruns. > > Userspace will not get more than it asked for. It might get less, and > it could be different to the previous calls. But i'm not aware of > anything which says anything about the consistency between different > invocations of ethtool -S. The problem is the userspace allocation ends up requiring we make two calls into the stack. So it takes the lock once to get the count, performs the allocation, and then calls into ethtool again taking the lock and by then the value may have changed. Within each call it is held the entire time, but the userspace has to make two calls. So in between the two the number of rings could potentially change. What this change is essentially doing is clamping the copied data to the lesser of the current value versus the value when the userspace was allocated. However I am wondering now if we shouldn't just update the size value and return that as some sort of error for the userspace to potentially reallocate and repeat until it has the right size.