[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f7e23fe6-4d30-ef1b-a431-3ef6ec6f77ba@sangfor.com.cn>
Date: Fri, 2 Jun 2023 23:01:43 +0800
From: Ding Hui <dinghui@...gfor.com.cn>
To: Andrew Lunn <andrew@...n.ch>
Cc: dinghui@...gfor.com.cn,
Alexander H Duyck <alexander.duyck@...il.com>,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, pengdonglin@...gfor.com.cn,
huangcun@...gfor.com.cn
Subject: Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user
On 2023/6/2 8:26 下午, Andrew Lunn wrote:
>>> Changing the copy size would not fix this. The problem is the driver
>>> will be overwriting with the size that it thinks it should be using.
>>> Reducing the value that is provided for the memory allocations will
>>> cause the driver to corrupt memory.
>>>
>>
>> I noticed that, in fact I did use the returned length to allocate
>> kernel memory, and only use adjusted length to copy to user.
>
> This is also something i checked when quickly looking at the patch. It
> does look correct.
>
Thanks.
> Also, RTNL should be held during the time both calls are made into the
> driver. So nothing from userspace should be able to get in the middle
> of these calls to change the number of queues.
>
The RTNL lock is already be held during every each ioctl in dev_ethtool().
rtnl_lock();
rc = __dev_ethtool(net, ifr, useraddr, ethcmd, state);
rtnl_unlock();
--
Thanks,
-dinghui
Powered by blists - more mailing lists