• Wenwen Wang's avatar
    net: socket: fix a missing-check bug · 98528072
    Wenwen Wang authored
    [ Upstream commit b6168562c8ce2bd5a30e213021650422e08764dc ]
    
    In ethtool_ioctl(), the ioctl command 'ethcmd' is checked through a switch
    statement to see whether it is necessary to pre-process the ethtool
    structure, because, as mentioned in the comment, the structure
    ethtool_rxnfc is defined with padding. If yes, a user-space buffer 'rxnfc'
    is allocated through compat_alloc_user_space(). One thing to note here is
    that, if 'ethcmd' is ETHTOOL_GRXCLSRLALL, the size of the buffer 'rxnfc' is
    partially determined by 'rule_cnt', which is actually acquired from the
    user-space buffer 'compat_rxnfc', i.e., 'compat_rxnfc->rule_cnt', through
    get_user(). After 'rxnfc' is allocated, the data in the original user-space
    buffer 'compat_rxnfc' is then copied to 'rxnfc' through copy_in_user(),
    including the 'rule_cnt' field. However, after this copy, no check is
    re-enforced on 'rxnfc->rule_cnt'. So it is possible that a malicious user
    race to change the value in the 'compat_rxnfc->rule_cnt' between these two
    copies. Through this way, the attacker can bypass the previous check on
    'rule_cnt' and inject malicious data. This can cause undefined behavior of
    the kernel and introduce potential security risk.
    
    This patch avoids the above issue via copying the value acquired by
    get_user() to 'rxnfc->rule_cn', if 'ethcmd' is ETHTOOL_GRXCLSRLALL.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    98528072
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...