lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Oct 2018 21:39:28 -0700 (PDT) From: David Miller <davem@...emloft.net> To: wang6495@....edu Cc: kjlu@....edu, f.fainelli@...il.com, keescook@...omium.org, ilyal@...lanox.com, ecree@...arflare.com, ynorov@...iumnetworks.com, alan.brady@...el.com, eugenia@...lanox.com, stephen@...workplumber.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] ethtool: fix a missing-check bug From: Wenwen Wang <wang6495@....edu> Date: Tue, 9 Oct 2018 08:15:38 -0500 > In ethtool_get_rxnfc(), the eth command 'cmd' is compared against > 'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable > 'info_size'. Then the whole structure of 'info' is copied from the > user-space buffer 'useraddr' with 'info_size' bytes. In the following > execution, 'info' may be copied again from the buffer 'useraddr' depending > on the 'cmd' and the 'info.flow_type'. However, after these two copies, > there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also > copied from the buffer 'useraddr' in dev_ethtool(), which is the caller > function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user > space, a malicious user can race to change the eth command in the buffer > between these copies. By doing so, the attacker can supply inconsistent > data and cause undefined behavior because in the following execution 'info' > will be passed to ops->get_rxnfc(). > > This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that > they are still same after the two copies in ethtool_get_rxnfc(). Otherwise, > an error code EINVAL will be returned. > > Signed-off-by: Wenwen Wang <wang6495@....edu> Applied.
Powered by blists - more mailing lists