Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user

From: Ding Hui
Date: Thu Jun 08 2023 - 05:06:59 EST

Next message: Greg Kroah-Hartman: "Re: [GIT PULL] USB-serial device ids for 6.4-rc6"
Previous message: Horatiu Vultur: "Re: [PATCH net-next] net: micrel: Change to receive timestamp in the frame for lan8841"
Next in thread: Alexander Duyck: "Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2023/6/6 2:39, Jakub Kicinski wrote:

On Mon, 5 Jun 2023 11:39:59 +0800 Ding Hui wrote:

Case 1:
If the user len/n_stats is not zero, we will treat it as correct usage
(although we cannot distinguish between the real correct usage and
uninitialized usage). Return -EINVAL if current length exceed the one
user specified.

This assumes user will zero-initialize the value rather than do
something like:

buf = malloc(1 << 16); // 64k should always be enough
ioctl(s, ETHTOOL_GSTATS, buf)

for (i = 0; i < buf.n_stats; i++)
/* use stats */

:(

Sorry for late.

Now I'm not sure what can I do next besides reporting the issue.

Case 2:
If it is zero, we will treat it as incorrect usage, we can add a
pr_err_once() for it and keep to be compatible with it for a period of time.
At a suitable time in the future, this part can be removed by maintainers.

--
Thanks,
- Ding Hui

Next message: Greg Kroah-Hartman: "Re: [GIT PULL] USB-serial device ids for 6.4-rc6"
Previous message: Horatiu Vultur: "Re: [PATCH net-next] net: micrel: Change to receive timestamp in the frame for lan8841"
Next in thread: Alexander Duyck: "Re: [PATCH net-next] net: ethtool: Fix out-of-bounds copy to user"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]