1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-24 17:23:25 -05:00
linux/net/core
Wenwen Wang d656fe49e3 ethtool: fix a potential missing-check bug
In ethtool_get_rxnfc(), the object "info" is firstly copied from
user-space. If the FLOW_RSS flag is set in the member field flow_type of
"info" (and cmd is ETHTOOL_GRXFH), info needs to be copied again from
user-space because FLOW_RSS is newer and has new definition, as mentioned
in the comment. However, given that the user data resides in user-space, a
malicious user can race to change the data after the first copy. By doing
so, the user can inject inconsistent data. For example, in the second
copy, the FLOW_RSS flag could be cleared in the field flow_type of "info".
In the following execution, "info" will be used in the function
ops->get_rxnfc(). Such inconsistent data can potentially lead to unexpected
information leakage since ops->get_rxnfc() will prepare various types of
data according to flow_type, and the prepared data will be eventually
copied to user-space. This inconsistent data may also cause undefined
behaviors based on how ops->get_rxnfc() is implemented.

This patch simply re-verifies the flow_type field of "info" after the
second copy. If the value is not as expected, an error code will be
returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-01 14:18:47 -04:00
..
datagram.c
dev.c vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi 2018-04-17 13:59:28 -04:00
dev_addr_lists.c net: change the comment of dev_mc_init 2018-04-19 12:58:20 -04:00
dev_ioctl.c
devlink.c devlink: convert occ_get op to separate registration 2018-04-08 12:45:57 -04:00
drop_monitor.c
dst.c
dst_cache.c
ethtool.c ethtool: fix a potential missing-check bug 2018-05-01 14:18:47 -04:00
fib_notifier.c net: Fix fib notifer to return errno 2018-03-29 14:10:30 -04:00
fib_rules.c net: Move call_fib_rule_notifiers up in fib_nl_newrule 2018-03-29 14:10:30 -04:00
filter.c bpf: clear the ip_tunnel_info. 2018-04-25 09:51:54 +02:00
flow_dissector.c
gen_estimator.c
gen_stats.c
gro_cells.c
hwbm.c
link_watch.c
lwt_bpf.c
lwtunnel.c
Makefile
neighbour.c net: fix deadlock while clearing neighbor proxy table 2018-04-12 22:01:22 -04:00
net-procfs.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
net-sysfs.c net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
net-sysfs.h
net-traces.c
net_namespace.c net: Do not take net_rwsem in __rtnl_link_unregister() 2018-03-31 22:24:58 -04:00
netclassid_cgroup.c
netevent.c
netpoll.c
netprio_cgroup.c
pktgen.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ptp_classifier.c
request_sock.c
rtnetlink.c net: Do not take net_rwsem in __rtnl_link_unregister() 2018-03-31 22:24:58 -04:00
scm.c
secure_seq.c
skbuff.c net: initialize skb->peeked when cloning 2018-04-07 22:32:31 -04:00
sock.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
sock_diag.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
sock_reuseport.c
stream.c
sysctl_net_core.c headers: untangle kmemleak.h from mm.h 2018-04-05 21:36:27 -07:00
timestamping.c
tso.c
utils.c net/utils: Introduce inet_addr_is_any 2018-03-26 08:53:43 -06:00
xdp.c