lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKgT0UdX7cc-LVFowFrY7mSZMvN0xc+w+oH16GNrduLY-AddSA@mail.gmail.com>
Date:   Thu, 8 Jun 2023 07:17:25 -0700
From:   Alexander Duyck <alexander.duyck@...il.com>
To:     Ding Hui <dinghui@...gfor.com.cn>
Cc:     Jakub Kicinski <kuba@...nel.org>, Andrew Lunn <andrew@...n.ch>,
        davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        pengdonglin@...gfor.com.cn, huangcun@...gfor.com.cn
Subject: Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user

On Thu, Jun 8, 2023 at 2:06 AM Ding Hui <dinghui@...gfor.com.cn> wrote:
>
> On 2023/6/6 2:39, Jakub Kicinski wrote:
> > On Mon, 5 Jun 2023 11:39:59 +0800 Ding Hui wrote:
> >> Case 1:
> >> If the user len/n_stats is not zero, we will treat it as correct usage
> >> (although we cannot distinguish between the real correct usage and
> >> uninitialized usage). Return -EINVAL if current length exceed the one
> >> user specified.
> >
> > This assumes user will zero-initialize the value rather than do
> > something like:
> >
> >       buf = malloc(1 << 16); // 64k should always be enough
> >       ioctl(s, ETHTOOL_GSTATS, buf)
> >
> >       for (i = 0; i < buf.n_stats; i++)
> >               /* use stats */
> >
> > :(
> >
>
> Sorry for late.
>
> Now I'm not sure what can I do next besides reporting the issue.

Well as I said before. The issue points to a driver problem more than
anything else.

Normally the solution is to make it so that the counts don't
fluctuate. That mostly consists of providing strings equal to the
maximum count, and then 0 populating the data for any fields that
don't exist in the case of ethtool -S.

So for example in the case of igb which you had pointed out you could
take a look at ixgbe for inspiration on how to fix it since the two
drivers should be similar and one has the issue and one does not.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ