lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <14e094a861204bf0a744848cb30db635@realtek.com>
Date:   Thu, 3 Aug 2023 13:20:46 +0000
From:   Justin Lai <justinlai0215@...ltek.com>
To:     Jiri Pirko <jiri@...nulli.us>
CC:     "kuba@...nel.org" <kuba@...nel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "edumazet@...gle.com" <edumazet@...gle.com>,
        "pabeni@...hat.com" <pabeni@...hat.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: RE: [PATCH] net/ethernet/realtek: Add Realtek automotive PCIe driver

Hi, Jiri Pirko

Our device is multi-function, one of which is netdev and the other is character device. For character devices, we have some custom functions that must use copy_from_user or copy_to_user to pass data.

-----Original Message-----
From: Jiri Pirko <jiri@...nulli.us> 
Sent: Thursday, August 3, 2023 4:57 PM
To: Justin Lai <justinlai0215@...ltek.com>
Cc: kuba@...nel.org; davem@...emloft.net; edumazet@...gle.com; pabeni@...hat.com; linux-kernel@...r.kernel.org; netdev@...r.kernel.org
Subject: Re: [PATCH] net/ethernet/realtek: Add Realtek automotive PCIe driver


External mail.



Thu, Aug 03, 2023 at 10:25:13AM CEST, justinlai0215@...ltek.com wrote:
>This patch is to add the ethernet device driver for the PCIe interface 
>of Realtek Automotive Ethernet Switch, applicable to RTL9054, RTL9068, RTL9072, RTL9075, RTL9068, RTL9071.
>
>Signed-off-by: justinlai0215 <justinlai0215@...ltek.com>

[...]


>+
>+static long rtase_swc_ioctl(struct file *p_file, unsigned int cmd, 
>+unsigned long arg)

There are *MANY* thing wrong in this patch spotted just during 5 minutes skimming over the code, but this definitelly tops all of them.
I didn't see so obvious kernel bypass attempt for a long time. Ugh, you can't be serious :/

I suggest to you take couple of rounds of consulting the patch with some skilled upstream developer internaly before you make another submission in order not not to waste time of reviewers.


>+{
>+      long rc = 0;
>+      struct rtase_swc_cmd_t sw_cmd;
>+
>+      (void)p_file;
>+
>+      if (rtase_swc_device.init_flag == 1u) {
>+              rc = -ENXIO;
>+              goto out;
>+      }
>+
>+      rc = (s64)(copy_from_user(&sw_cmd, (void *)arg, sizeof(struct 
>+ rtase_swc_cmd_t)));
>+
>+      if (rc != 0) {
>+              SWC_DRIVER_INFO("rtase_swc copy_from_user failed.");
>+      } else {
>+              switch (cmd) {
>+              case SWC_CMD_REG_GET:
>+                      rtase_swc_reg_get(&sw_cmd);
>+                      rc = (s64)(copy_to_user((void *)arg, &sw_cmd,
>+                                              sizeof(struct rtase_swc_cmd_t)));
>+                      break;
>+
>+              case SWC_CMD_REG_SET:
>+                      rtase_swc_reg_set(&sw_cmd);
>+                      rc = (s64)(copy_to_user((void *)arg, &sw_cmd,
>+                                              sizeof(struct rtase_swc_cmd_t)));
>+                      break;
>+
>+              default:
>+                      rc = -ENOTTY;
>+                      break;
>+              }
>+      }
>+
>+out:
>+      return rc;
>+}

[...]

------Please consider the environment before printing this e-mail.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ