Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user

From: Ding Hui
Date: Fri Jun 02 2023 - 11:02:27 EST

Next message: Hawkins, Nick: "Re: [PATCH v2 4/5] hwmon: (gxp_fan_ctrl) Provide fan info via gpio"
Previous message: David Vernet: "[PATCH bpf-next 2/2] selftests/bpf: Add test for non-NULLable PTR_TO_BTF_IDs"
In reply to: Andrew Lunn: "Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user"
Next in thread: Andrew Lunn: "Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2023/6/2 8:26 下午, Andrew Lunn wrote:

Changing the copy size would not fix this. The problem is the driver
will be overwriting with the size that it thinks it should be using.
Reducing the value that is provided for the memory allocations will
cause the driver to corrupt memory.

I noticed that, in fact I did use the returned length to allocate
kernel memory, and only use adjusted length to copy to user.

This is also something i checked when quickly looking at the patch. It
does look correct.

Thanks.

Also, RTNL should be held during the time both calls are made into the
driver. So nothing from userspace should be able to get in the middle
of these calls to change the number of queues.

The RTNL lock is already be held during every each ioctl in dev_ethtool().

rtnl_lock();
rc = __dev_ethtool(net, ifr, useraddr, ethcmd, state);
rtnl_unlock();

--
Thanks,
-dinghui

Next message: Hawkins, Nick: "Re: [PATCH v2 4/5] hwmon: (gxp_fan_ctrl) Provide fan info via gpio"
Previous message: David Vernet: "[PATCH bpf-next 2/2] selftests/bpf: Add test for non-NULLable PTR_TO_BTF_IDs"
In reply to: Andrew Lunn: "Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user"
Next in thread: Andrew Lunn: "Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]