From patchwork Fri Mar 11 17:58:16 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Decotigny <ddecotig@gmail.com>
X-Patchwork-Id: 596426
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 82ECC140B9E
	for <patchwork-incoming@ozlabs.org>;
	Sat, 12 Mar 2016 04:58:44 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=eyS/2D0m;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750959AbcCKR6l (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 11 Mar 2016 12:58:41 -0500
Received: from mail-pa0-f67.google.com ([209.85.220.67]:35514 "EHLO
	mail-pa0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750864AbcCKR6j (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 11 Mar 2016 12:58:39 -0500
Received: by mail-pa0-f67.google.com with SMTP id fl4so9043769pad.2
	for <netdev@vger.kernel.org>; Fri, 11 Mar 2016 09:58:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=chhuFtrW1CQ0o8aH+RgRT684dkkotZr+FbBAIji6gTQ=;
	b=eyS/2D0my71c06wO6fKNNSS0gqYbdTW7NDUWznsD4dt1zkWFkPemf0BMa8L1DG7Yow
	BMGiVpbYrl8DQA65lDyVkuXWBT8NySIO/NdEQRgZvtC+6ulg6ss2TzY8Hm4rgL3l7K5p
	iAXV1LRoyV1NbOTcU7J+kHEpQiwdlbbpfLI5qSYXysyzaay9Dr4PxlEVhsaz3osGmBGP
	QMDSB7Fxa7plxQJIQVIvTHJlem1I+4zZr8UCqVqhavv7kVx95SsOV4mlQW+BYljXT1bV
	WV9a6ahFvlhNW6bUBcvO3EviEkVaJt8wFWs7yhnbsSy/IiK3/MLayEfYwOmQJHlLCNP8
	t1AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=chhuFtrW1CQ0o8aH+RgRT684dkkotZr+FbBAIji6gTQ=;
	b=kA6QthhBS0E4khgxap2io0NG2ydNdRtiGj3qjdjlxiwul6R5mnHGvZCZlu0YG5ajMu
	ARPNV1tqnZ6iJN9xKsXltCPEJXbH73QAiEuGybDQh87+X71Rr1Zo30VIzHUuhiQftYiZ
	S06SUh1hn0zp/0NdTqVGeLpVUHkjpKO7EcWTJAYGyW8L/PXdV7h4tLWLarD7Uh9LoZv5
	71gQS1gZYj7iwhb+sCz9cYPNETv2taTeT7juoVH1uyy+qw8VsHYFMsIIp7o9OwZNpF9x
	PVUOsrxwPWeF5fBjBQp2b30fUpyRGL0/LMtHdelZbDAjUhzLWWWUqldXxFHekLyFSBgX
	JTeA==
X-Gm-Message-State: 
 AD7BkJJVNyoUaszxjuRkNmhnvH4XohMIwPRgmWE3/40fKFVwA9ZVVUhBQ2zQ/aarQRQ6pA==
X-Received: by 10.66.154.233 with SMTP id vr9mr17712191pab.66.1457719118617;
	Fri, 11 Mar 2016 09:58:38 -0800 (PST)
Received: from decot.mtv.corp.google.com ([172.18.64.100])
	by smtp.gmail.com with ESMTPSA id
	o185sm14433965pfo.36.2016.03.11.09.58.37
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 11 Mar 2016 09:58:38 -0800 (PST)
From: David Decotigny <ddecotig@gmail.com>
To: netdev@vger.kernel.org
Cc: Jeff Garzik <jgarzik@pobox.com>, Ben Hutchings <ben@decadent.org.uk>,
	David Miller <davem@redhat.com>,
	Vidya Sagar Ravipati <vidya@cumulusnetworks.com>,
	Joe Perches <joe@perches.com>, David Decotigny <decot@googlers.com>
Subject: [ethtool PATCH v4 03/11] ethtool.c: fix dump_regs heap corruption
Date: Fri, 11 Mar 2016 09:58:16 -0800
Message-Id: <1457719104-39188-4-git-send-email-ddecotig@gmail.com>
X-Mailer: git-send-email 2.7.0.rc3.207.g0ac5344
In-Reply-To: <1457719104-39188-1-git-send-email-ddecotig@gmail.com>
References: <1457719104-39188-1-git-send-email-ddecotig@gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: David Decotigny <decot@googlers.com>

The 'regs' pointer is owned by do_gregs(), but updated internally inside
dump_regs() without propagating it back to do_gregs(): later free(regs)
in do_gregs() reclaims the wrong area. This commit moves the realloc()
inside do_gregs().


Signed-off-by: David Decotigny <decot@googlers.com>
---
 ethtool.c | 46 +++++++++++++++++++++++++---------------------
 1 file changed, 25 insertions(+), 21 deletions(-)

diff --git a/ethtool.c b/ethtool.c
index 9f80d5f..7c2b5cb 100644
--- a/ethtool.c
+++ b/ethtool.c
@@ -994,7 +994,6 @@ void dump_hex(FILE *file, const u8 *data, int len, int offset)
 }
 
 static int dump_regs(int gregs_dump_raw, int gregs_dump_hex,
-		     const char *gregs_dump_file,
 		     struct ethtool_drvinfo *info, struct ethtool_regs *regs)
 {
 	int i;
@@ -1004,25 +1003,6 @@ static int dump_regs(int gregs_dump_raw, int gregs_dump_hex,
 		return 0;
 	}
 
-	if (gregs_dump_file) {
-		FILE *f = fopen(gregs_dump_file, "r");
-		struct stat st;
-		size_t nread;
-
-		if (!f || fstat(fileno(f), &st) < 0) {
-			fprintf(stderr, "Can't open '%s': %s\n",
-				gregs_dump_file, strerror(errno));
-			return -1;
-		}
-
-		regs = realloc(regs, sizeof(*regs) + st.st_size);
-		regs->len = st.st_size;
-		nread = fread(regs->data, regs->len, 1, f);
-		fclose(f);
-		if (nread != 1)
-			return -1;
-	}
-
 	if (!gregs_dump_hex)
 		for (i = 0; i < ARRAY_SIZE(driver_list); i++)
 			if (!strncmp(driver_list[i].name, info->driver,
@@ -2711,7 +2691,31 @@ static int do_gregs(struct cmd_context *ctx)
 		free(regs);
 		return 74;
 	}
-	if (dump_regs(gregs_dump_raw, gregs_dump_hex, gregs_dump_file,
+
+	if (!gregs_dump_raw && gregs_dump_file != NULL) {
+		/* overwrite reg values from file dump */
+		FILE *f = fopen(gregs_dump_file, "r");
+		struct stat st;
+		size_t nread;
+
+		if (!f || fstat(fileno(f), &st) < 0) {
+			fprintf(stderr, "Can't open '%s': %s\n",
+				gregs_dump_file, strerror(errno));
+			free(regs);
+			return 75;
+		}
+
+		regs = realloc(regs, sizeof(*regs) + st.st_size);
+		regs->len = st.st_size;
+		nread = fread(regs->data, regs->len, 1, f);
+		fclose(f);
+		if (nread != 1) {
+			free(regs);
+			return 75;
+		}
+        }
+
+	if (dump_regs(gregs_dump_raw, gregs_dump_hex,
 		      &drvinfo, regs) < 0) {
 		fprintf(stderr, "Cannot dump registers\n");
 		free(regs);