Message ID | 20210726221539.492937-1-saeed@kernel.org (mailing list archive) |
---|---|
State | Accepted |
Commit | 9b29a161ef38040f000dcf9ccf78e34495edfd55 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net-next] ethtool: Fix rxnfc copy to user buffer overflow | expand |
Context | Check | Description |
---|---|---|
netdev/cover_letter | success | Link |
netdev/fixes_present | success | Link |
netdev/patch_count | success | Link |
netdev/tree_selection | success | Clearly marked for net-next |
netdev/subject_prefix | success | Link |
netdev/cc_maintainers | warning | 8 maintainers not CCed: ecree@solarflare.com austindh.kim@gmail.com daniel@iogearbox.net andrew@lunn.ch magnus.karlsson@intel.com danieller@nvidia.com irusskikh@marvell.com alexanderduyck@fb.com |
netdev/source_inline | success | Was 0 now: 0 |
netdev/verify_signedoff | success | Link |
netdev/module_param | success | Was 0 now: 0 |
netdev/build_32bit | success | Errors and warnings before: 1 this patch: 1 |
netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
netdev/verify_fixes | success | Link |
netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
netdev/build_allmodconfig_warn | success | Errors and warnings before: 1 this patch: 1 |
netdev/header_inline | success | Link |
On 7/26/21 3:15 PM, Saeed Mahameed wrote: > From: Saeed Mahameed <saeedm@nvidia.com> > > In the cited commit, copy_to_user() got called with the wrong pointer, > instead of passing the actual buffer ptr to copy from, a pointer to > the pointer got passed, which causes a buffer overflow calltrace to pop > up when executing "ethtool -x ethX". > > Fix ethtool_rxnfc_copy_to_user() to use the rxnfc pointer as passed > to the function, instead of a pointer to it. > > This fixes below call trace: > [ 15.533533] ------------[ cut here ]------------ > [ 15.539007] Buffer overflow detected (8 < 192)! > [ 15.544110] WARNING: CPU: 3 PID: 1801 at include/linux/thread_info.h:200 copy_overflow+0x15/0x20 > [ 15.549308] Modules linked in: > [ 15.551449] CPU: 3 PID: 1801 Comm: ethtool Not tainted 5.14.0-rc2+ #1058 > [ 15.553919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 > [ 15.558378] RIP: 0010:copy_overflow+0x15/0x20 > [ 15.560648] Code: e9 7c ff ff ff b8 a1 ff ff ff eb c4 66 0f 1f 84 00 00 00 00 00 55 48 89 f2 89 fe 48 c7 c7 88 55 78 8a 48 89 e5 e8 06 5c 1e 00 <0f> 0b 5d c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 > [ 15.565114] RSP: 0018:ffffad49c0523bd0 EFLAGS: 00010286 > [ 15.566231] RAX: 0000000000000000 RBX: 00000000000000c0 RCX: 0000000000000000 > [ 15.567616] RDX: 0000000000000001 RSI: ffffffff8a7912e7 RDI: 00000000ffffffff > [ 15.569050] RBP: ffffad49c0523bd0 R08: ffffffff8ab2ae28 R09: 00000000ffffdfff > [ 15.570534] R10: ffffffff8aa4ae40 R11: ffffffff8aa4ae40 R12: 0000000000000000 > [ 15.571899] R13: 00007ffd4cc2a230 R14: ffffad49c0523c00 R15: 0000000000000000 > [ 15.573584] FS: 00007f538112f740(0000) GS:ffff96d5bdd80000(0000) knlGS:0000000000000000 > [ 15.575639] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 15.577092] CR2: 00007f5381226d40 CR3: 0000000013542000 CR4: 00000000001506e0 > [ 15.578929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 15.580695] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > [ 15.582441] Call Trace: > [ 15.582970] ethtool_rxnfc_copy_to_user+0x30/0x46 > [ 15.583815] ethtool_get_rxnfc.cold+0x23/0x2b > [ 15.584584] dev_ethtool+0x29c/0x25f0 > [ 15.585286] ? security_netlbl_sid_to_secattr+0x77/0xd0 > [ 15.586728] ? do_set_pte+0xc4/0x110 > [ 15.587349] ? _raw_spin_unlock+0x18/0x30 > [ 15.588118] ? __might_sleep+0x49/0x80 > [ 15.588956] dev_ioctl+0x2c1/0x490 > [ 15.589616] sock_ioctl+0x18e/0x330 > [ 15.591143] __x64_sys_ioctl+0x41c/0x990 > [ 15.591823] ? irqentry_exit_to_user_mode+0x9/0x20 > [ 15.592657] ? irqentry_exit+0x33/0x40 > [ 15.593308] ? exc_page_fault+0x32f/0x770 > [ 15.593877] ? exit_to_user_mode_prepare+0x3c/0x130 > [ 15.594775] do_syscall_64+0x35/0x80 > [ 15.595397] entry_SYSCALL_64_after_hwframe+0x44/0xae > [ 15.596037] RIP: 0033:0x7f5381226d4b > [ 15.596492] Code: 0f 1e fa 48 8b 05 3d b1 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0d b1 0c 00 f7 d8 64 89 01 48 > [ 15.598743] RSP: 002b:00007ffd4cc2a1f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > [ 15.599804] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5381226d4b > [ 15.600795] RDX: 00007ffd4cc2a350 RSI: 0000000000008946 RDI: 0000000000000003 > [ 15.601712] RBP: 00007ffd4cc2a340 R08: 00007ffd4cc2a350 R09: 0000000000000001 > [ 15.602751] R10: 00007f538128a990 R11: 0000000000000246 R12: 0000000000000000 > [ 15.603882] R13: 00007ffd4cc2a350 R14: 00007ffd4cc2a4b0 R15: 0000000000000000 > [ 15.605042] ---[ end trace 325cf185e2795048 ]--- > > Fixes: dd98d2895de6 ("ethtool: improve compat ioctl handling") > Reported-by: Shannon Nelson <snelson@pensando.io> > CC: Arnd Bergmann <arnd@arndb.de> > CC: Christoph Hellwig <hch@lst.de> > Signed-off-by: Saeed Mahameed <saeedm@nvidia.com> Thanks! Tested-by: Shannon Nelson <snelson@pensando.io> > --- > net/ethtool/ioctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c > index 6134b180f59f..af011534bcb2 100644 > --- a/net/ethtool/ioctl.c > +++ b/net/ethtool/ioctl.c > @@ -906,7 +906,7 @@ static int ethtool_rxnfc_copy_to_user(void __user *useraddr, > rule_buf); > useraddr += offsetof(struct compat_ethtool_rxnfc, rule_locs); > } else { > - ret = copy_to_user(useraddr, &rxnfc, size); > + ret = copy_to_user(useraddr, rxnfc, size); > useraddr += offsetof(struct ethtool_rxnfc, rule_locs); > } >
On Tue, Jul 27, 2021 at 12:15 AM Saeed Mahameed <saeed@kernel.org> wrote: > Fixes: dd98d2895de6 ("ethtool: improve compat ioctl handling") > Reported-by: Shannon Nelson <snelson@pensando.io> > CC: Arnd Bergmann <arnd@arndb.de> > CC: Christoph Hellwig <hch@lst.de> > Signed-off-by: Saeed Mahameed <saeedm@nvidia.com> Thanks a lot for the fix Acked-by: Arnd Bergmann <arnd@arndb.de> Arnd
Hello: This patch was applied to netdev/net-next.git (refs/heads/master): On Mon, 26 Jul 2021 15:15:39 -0700 you wrote: > From: Saeed Mahameed <saeedm@nvidia.com> > > In the cited commit, copy_to_user() got called with the wrong pointer, > instead of passing the actual buffer ptr to copy from, a pointer to > the pointer got passed, which causes a buffer overflow calltrace to pop > up when executing "ethtool -x ethX". > > [...] Here is the summary with links: - [net-next] ethtool: Fix rxnfc copy to user buffer overflow https://git.kernel.org/netdev/net-next/c/9b29a161ef38 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c index 6134b180f59f..af011534bcb2 100644 --- a/net/ethtool/ioctl.c +++ b/net/ethtool/ioctl.c @@ -906,7 +906,7 @@ static int ethtool_rxnfc_copy_to_user(void __user *useraddr, rule_buf); useraddr += offsetof(struct compat_ethtool_rxnfc, rule_locs); } else { - ret = copy_to_user(useraddr, &rxnfc, size); + ret = copy_to_user(useraddr, rxnfc, size); useraddr += offsetof(struct ethtool_rxnfc, rule_locs); }