• Wenwen Wang's avatar
    net: socket: fix a missing-check bug · f57ef24f
    Wenwen Wang authored
    [ Upstream commit b6168562c8ce2bd5a30e213021650422e08764dc ]
    In ethtool_ioctl(), the ioctl command 'ethcmd' is checked through a switch
    statement to see whether it is necessary to pre-process the ethtool
    structure, because, as mentioned in the comment, the structure
    ethtool_rxnfc is defined with padding. If yes, a user-space buffer 'rxnfc'
    is allocated through compat_alloc_user_space(). One thing to note here is
    that, if 'ethcmd' is ETHTOOL_GRXCLSRLALL, the size of the buffer 'rxnfc' is
    partially determined by 'rule_cnt', which is actually acquired from the
    user-space buffer 'compat_rxnfc', i.e., 'compat_rxnfc->rule_cnt', through
    get_user(). After 'rxnfc' is allocated, the data in the original user-space
    buffer 'compat_rxnfc' is then copied to 'rxnfc' through copy_in_user(),
    including the 'rule_cnt' field. However, after this copy, no check is
    re-enforced on 'rxnfc->rule_cnt'. So it is possible that a malicious user
    race to change the value in the 'compat_rxnfc->rule_cnt' between these two
    copies. Through this way, the attacker can bypass the previous check on
    'rule_cnt' and inject malicious data. This can cause undefined behavior of
    the kernel and introduce potential security risk.
    This patch avoids the above issue via copying the value acquired by
    get_user() to 'rxnfc->rule_cn', if 'ethcmd' is ETHTOOL_GRXCLSRLALL.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
socket.c 80.5 KB