From patchwork Tue Oct 9 13:15:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 981216 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=umn.edu Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=umn.edu header.i=@umn.edu header.b="oUDip3cv"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42TyQy61SMz9s5c for ; Wed, 10 Oct 2018 00:15:54 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726656AbeJIUcq (ORCPT ); Tue, 9 Oct 2018 16:32:46 -0400 Received: from mta-p6.oit.umn.edu ([134.84.196.206]:35306 "EHLO mta-p6.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726525AbeJIUcp (ORCPT ); Tue, 9 Oct 2018 16:32:45 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 898C3F19 for ; Tue, 9 Oct 2018 13:15:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2V19JfUuDfj for ; Tue, 9 Oct 2018 08:15:51 -0500 (CDT) Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 5CAFFFC1 for ; Tue, 9 Oct 2018 08:15:51 -0500 (CDT) Received: by mail-io1-f70.google.com with SMTP id w23-v6so1286279iob.18 for ; Tue, 09 Oct 2018 06:15:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=G6GdFpGDi92tAkLEZ9SDpsTjy0DPhqdhrYIdQ0RWPlc=; b=oUDip3cvTxxRgOwiSdvtUp7gX4hcBQ4VIdeBhCMHleoEQI4K45rUHMUNaWxSm2WZUF G2Ig0rEQQPex9sh4zTo4vC5Ha+VMTrBALRX7AUsMU2tADHZDRVnyjoagcDoWFn2I5afa uMeciT+tHQ91ln/0FY5fvLcrvLhTq5wy9z7eBl8u4T31v044D0wI7iFvGZd/sLeAMk9L hWSOt4eziXcRmVcTOsox17KveQkYLLzuobl1D0C3GpsNUFxRxXf7LAcGJuGwzNYC/Y5C P70v5mbuI/PhQwW6O7rnueOezywwXRYoCcbrYq9HbQB6tNZRkYytNFsPnsLOnYUX+mTb oEBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=G6GdFpGDi92tAkLEZ9SDpsTjy0DPhqdhrYIdQ0RWPlc=; b=S3rOqu77EocbYhxxJ4vnoYV+hzIM+ij1SyaY/EKdHKnA9s0A+fSQNf7ldcqXRRwtn3 A6l5wU4O6JAHi1unCPjQpVEfEBY8E+AVTErCe/l19mS3bBQ2WdYYn3TVLcRItndH5VJ6 5RRpZATXVdattUVnZAsP5dTmbPiO+wx8j+XMzAW+eGsBF7YAKkU2DZqWYn2jiAmtMFj3 I8PxCWGYL237hsY1G99X1B7UzJHGSODinFdIlznmB/wmYY5+ePiScWwd1Y+qjtkI88iN 0JhAt8Ego5l/o4Dtje0o/xLouVh/rffMY2JNqzO+hjRAohoYNHD8QGtzcKVWmHqUX5Wt Djjw== X-Gm-Message-State: ABuFfogTxq4KWooEGQPq2U28ymKaeFA2BPG2AW7wJpORX/0w0qNmh4dp GZZ1M+SNvosSWu0jiAHoWlB2AhU9uteTC58ZOODwyv++zGhEEWz4K26KTbOQvWio6OhLVj/2L2G g2BveFpq3SFqpTFPd74s4 X-Received: by 2002:a02:1e07:: with SMTP id m7-v6mr22157318jad.128.1539090950653; Tue, 09 Oct 2018 06:15:50 -0700 (PDT) X-Google-Smtp-Source: ACcGV62/HvB2NX2I8ESbKMgTYFHM+4lq7NWIYBRHpmJxDTYZwQu5wcGcDCHmY9G8OYUcCEKNfaPQ2A== X-Received: by 2002:a02:1e07:: with SMTP id m7-v6mr22157290jad.128.1539090950417; Tue, 09 Oct 2018 06:15:50 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id j19-v6sm7156782itb.25.2018.10.09.06.15.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 Oct 2018 06:15:49 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , "David S. Miller" , Florian Fainelli , Kees Cook , Ilya Lesokhin , Edward Cree , Yury Norov , Alan Brady , Eugenia Emantayev , Stephen Hemminger , netdev@vger.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] ethtool: fix a missing-check bug Date: Tue, 9 Oct 2018 08:15:38 -0500 Message-Id: <1539090940-5323-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In ethtool_get_rxnfc(), the eth command 'cmd' is compared against 'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable 'info_size'. Then the whole structure of 'info' is copied from the user-space buffer 'useraddr' with 'info_size' bytes. In the following execution, 'info' may be copied again from the buffer 'useraddr' depending on the 'cmd' and the 'info.flow_type'. However, after these two copies, there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also copied from the buffer 'useraddr' in dev_ethtool(), which is the caller function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user space, a malicious user can race to change the eth command in the buffer between these copies. By doing so, the attacker can supply inconsistent data and cause undefined behavior because in the following execution 'info' will be passed to ops->get_rxnfc(). This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that they are still same after the two copies in ethtool_get_rxnfc(). Otherwise, an error code EINVAL will be returned. Signed-off-by: Wenwen Wang --- net/core/ethtool.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index c9993c6..0136625 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -1015,6 +1015,9 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, return -EINVAL; } + if (info.cmd != cmd) + return -EINVAL; + if (info.cmd == ETHTOOL_GRXCLSRLALL) { if (info.rule_cnt > 0) { if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))