git.osdn.net Git - uclinux-h8/linux.git/commit

author	Wenwen Wang <wang6495@umn.edu>
	Tue, 9 Oct 2018 13:15:38 +0000 (08:15 -0500)
committer	David S. Miller <davem@davemloft.net>
	Tue, 16 Oct 2018 04:37:01 +0000 (21:37 -0700)
commit	2bb3207dbbd4d30e96dd0e1c8e013104193bd59c
tree	78456187a2e91ef89a8ef0780dd793447e967ee7	tree \| snapshot
parent	d49c88d7677ba737e9d2759a87db0402d5ab2607	commit \| diff

ethtool: fix a missing-check bug

In ethtool_get_rxnfc(), the eth command 'cmd' is compared against
'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable
'info_size'. Then the whole structure of 'info' is copied from the
user-space buffer 'useraddr' with 'info_size' bytes. In the following
execution, 'info' may be copied again from the buffer 'useraddr' depending
on the 'cmd' and the 'info.flow_type'. However, after these two copies,
there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also
copied from the buffer 'useraddr' in dev_ethtool(), which is the caller
function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user
space, a malicious user can race to change the eth command in the buffer
between these copies. By doing so, the attacker can supply inconsistent
data and cause undefined behavior because in the following execution 'info'
will be passed to ops->get_rxnfc().

This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that
they are still same after the two copies in ethtool_get_rxnfc(). Otherwise,
an error code EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>