lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f7e23fe6-4d30-ef1b-a431-3ef6ec6f77ba@sangfor.com.cn>
Date: Fri, 2 Jun 2023 23:01:43 +0800
From: Ding Hui <dinghui@...gfor.com.cn>
To: Andrew Lunn <andrew@...n.ch>
Cc: dinghui@...gfor.com.cn, Alexander H Duyck <alexander.duyck@...il.com>,
 davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 pengdonglin@...gfor.com.cn, huangcun@...gfor.com.cn
Subject: Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user

On 2023/6/2 8:26 下午, Andrew Lunn wrote:
>>> Changing the copy size would not fix this. The problem is the driver
>>> will be overwriting with the size that it thinks it should be using.
>>> Reducing the value that is provided for the memory allocations will
>>> cause the driver to corrupt memory.
>>>
>>
>> I noticed that, in fact I did use the returned length to allocate
>> kernel memory, and only use adjusted length to copy to user.
> 
> This is also something i checked when quickly looking at the patch. It
> does look correct.
> 

Thanks.

> Also, RTNL should be held during the time both calls are made into the
> driver. So nothing from userspace should be able to get in the middle
> of these calls to change the number of queues.
> 

The RTNL lock is already be held during every each ioctl in dev_ethtool().

     rtnl_lock();
     rc = __dev_ethtool(net, ifr, useraddr, ethcmd, state);
     rtnl_unlock();

-- 
Thanks,
-dinghui


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ