• Vivien Didelot's avatar
    ethtool: fix potential userspace buffer overflow · e5c6de66
    Vivien Didelot authored
    [ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ]
    
    ethtool_get_regs() allocates a buffer of size ops->get_regs_len(),
    and pass it to the kernel driver via ops->get_regs() for filling.
    
    There is no restriction about what the kernel drivers can or cannot do
    with the open ethtool_regs structure. They usually set regs->version
    and ignore regs->len or set it to the same size as ops->get_regs_len().
    
    But if userspace allocates a smaller buffer for the registers dump,
    we would cause a userspace buffer overflow in the final copy_to_user()
    call, which uses the regs.len value potentially reset by the driver.
    
    To fix this, make this case obvious and store regs.len before calling
    ops->get_regs(), to only copy as much data as requested by userspace,
    up to the value returned by ops->get_regs_len().
    
    While at it, remove the redundant check for non-null regbuf.
    Signed-off-by: default avatarVivien Didelot <vivien.didelot@gmail.com>
    Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    e5c6de66
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...