Skip to content

Commit

Permalink
ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
Browse files Browse the repository at this point in the history
struct ethtool_rxnfc was originally defined in 2.6.27 for the
ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data
fields.  It was then extended in 2.6.30 to support various additional
commands.  These commands should have been defined to use a new
structure, but it is too late to change that now.

Since user-space may still be using the old structure definition
for the ETHTOOL_{G,S}RXFH commands, and since they do not need the
additional fields, only copy the originally defined fields to and
from user-space.

Signed-off-by: Ben Hutchings <[email protected]>
Cc: [email protected]
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
Ben Hutchings authored and davem330 committed Jun 29, 2010
1 parent db048b6 commit bf98843
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 9 deletions.
2 changes: 2 additions & 0 deletions include/linux/ethtool.h
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,8 @@ struct ethtool_rxnfc {
__u32 flow_type;
/* The rx flow hash value or the rule DB size */
__u64 data;
/* The following fields are not valid and must not be used for
* the ETHTOOL_{G,X}RXFH commands. */
struct ethtool_rx_flow_spec fs;
__u32 rule_cnt;
__u32 rule_locs[0];
Expand Down
36 changes: 27 additions & 9 deletions net/core/ethtool.c
Original file line number Diff line number Diff line change
Expand Up @@ -318,31 +318,49 @@ static noinline_for_stack int ethtool_get_sset_info(struct net_device *dev,
}

static noinline_for_stack int ethtool_set_rxnfc(struct net_device *dev,
void __user *useraddr)
u32 cmd, void __user *useraddr)
{
struct ethtool_rxnfc cmd;
struct ethtool_rxnfc info;
size_t info_size = sizeof(info);

if (!dev->ethtool_ops->set_rxnfc)
return -EOPNOTSUPP;

if (copy_from_user(&cmd, useraddr, sizeof(cmd)))
/* struct ethtool_rxnfc was originally defined for
* ETHTOOL_{G,S}RXFH with only the cmd, flow_type and data
* members. User-space might still be using that
* definition. */
if (cmd == ETHTOOL_SRXFH)
info_size = (offsetof(struct ethtool_rxnfc, data) +
sizeof(info.data));

if (copy_from_user(&info, useraddr, info_size))
return -EFAULT;

return dev->ethtool_ops->set_rxnfc(dev, &cmd);
return dev->ethtool_ops->set_rxnfc(dev, &info);
}

static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
void __user *useraddr)
u32 cmd, void __user *useraddr)
{
struct ethtool_rxnfc info;
size_t info_size = sizeof(info);
const struct ethtool_ops *ops = dev->ethtool_ops;
int ret;
void *rule_buf = NULL;

if (!ops->get_rxnfc)
return -EOPNOTSUPP;

if (copy_from_user(&info, useraddr, sizeof(info)))
/* struct ethtool_rxnfc was originally defined for
* ETHTOOL_{G,S}RXFH with only the cmd, flow_type and data
* members. User-space might still be using that
* definition. */
if (cmd == ETHTOOL_GRXFH)
info_size = (offsetof(struct ethtool_rxnfc, data) +
sizeof(info.data));

if (copy_from_user(&info, useraddr, info_size))
return -EFAULT;

if (info.cmd == ETHTOOL_GRXCLSRLALL) {
Expand All @@ -360,7 +378,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
goto err_out;

ret = -EFAULT;
if (copy_to_user(useraddr, &info, sizeof(info)))
if (copy_to_user(useraddr, &info, info_size))
goto err_out;

if (rule_buf) {
Expand Down Expand Up @@ -1517,12 +1535,12 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
case ETHTOOL_GRXCLSRLCNT:
case ETHTOOL_GRXCLSRULE:
case ETHTOOL_GRXCLSRLALL:
rc = ethtool_get_rxnfc(dev, useraddr);
rc = ethtool_get_rxnfc(dev, ethcmd, useraddr);
break;
case ETHTOOL_SRXFH:
case ETHTOOL_SRXCLSRLDEL:
case ETHTOOL_SRXCLSRLINS:
rc = ethtool_set_rxnfc(dev, useraddr);
rc = ethtool_set_rxnfc(dev, ethcmd, useraddr);
break;
case ETHTOOL_GGRO:
rc = ethtool_get_gro(dev, useraddr);
Expand Down

0 comments on commit bf98843

Please sign in to comment.