lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 30 May 2019 10:27:22 +0200
From:   Michal Kubecek <mkubecek@...e.cz>
To:     netdev@...r.kernel.org
Cc:     David Miller <davem@...emloft.net>, vivien.didelot@...il.com,
        linux-kernel@...r.kernel.org, kernel@...oirfairelinux.com,
        linville@...hat.com, f.fainelli@...il.com
Subject: Re: [PATCH net-next] ethtool: copy reglen to userspace

On Thu, May 30, 2019 at 08:48:48AM +0200, Michal Kubecek wrote:
> On Wed, May 29, 2019 at 10:17:44PM -0700, David Miller wrote:
> > From: Vivien Didelot <vivien.didelot@...il.com>
> > Date: Tue, 28 May 2019 16:58:48 -0400
> > 
> > > ethtool_get_regs() allocates a buffer of size reglen obtained from
> > > ops->get_regs_len(), thus only this value must be used when copying
> > > the buffer back to userspace. Also no need to check regbuf twice.
> > > 
> > > Signed-off-by: Vivien Didelot <vivien.didelot@...il.com>
> > 
> > Hmmm, can't regs.len be modified by the driver potentially?
> 
> The driver certainly shouldn't raise it as that could result in kernel
> writing past the buffer provided by userspace. (I'll check some drivers
> to see if they truncate the dump or return an error if regs.len from
> userspace is insufficient.) And lowering it would be also wrong as that
> would mean dump would be shorter than what ops->get_regs_len() returned.

I looked around a bit. First of all, the driver cannot actually return
error as ethtool_ops::get_regs() returns void. Most drivers do not touch
regs->len and only fill data and possibly regs->version which is fine.

There are few drivers which modify regs->len:

  s2io_ethtool_gdrvinfo()	neterion/s2io
  vxge_ethtool_gregs()		neterion/vxge
  ixgb_get_regs()		intel/ixgb
  emac_get_regs_len()		qualcomm/emac
  ql_get_regs()			qlogic/qlge
  axienet_ethtools_get_regs()	xilinx/axienet

All of these set regs->len to the same value as ->get_regs_len() returns
(ixgb does it in rather fragile way). This means that if userspace
passes insufficient buffer size, current code would write pass that
buffer; but proposed patch would make things worse as with it, kernel
would always write past the userspace buffer in such case.

Note: ieee80211_get_regs() in net/mac80211/ethtool.c also sets regs->len
but it always sets it to 0 which is also what ->get_regs_len() returns
so that it does not actually modify the value.

I believe this should be handled by ethtool_get_regs(), either by
returning an error or by only copying data up to original regs.len
passed by userspace. The former seems more correct but broken userspace
software would suddenly start to fail where it "used to work". The
latter would be closer to current behaviour but it would mean that
broken userspace software might nerver notice there is something wrong.

Michal Kubecek

Powered by blists - more mailing lists