Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow
@ 2021-07-26 22:15 Saeed Mahameed
  2021-07-26 23:38 ` Shannon Nelson
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Saeed Mahameed @ 2021-07-26 22:15 UTC (permalink / raw)
  To: David S. Miller, Jakub Kicinski
  Cc: netdev, Saeed Mahameed, Shannon Nelson, Arnd Bergmann, Christoph Hellwig

From: Saeed Mahameed <saeedm@nvidia.com>

In the cited commit, copy_to_user() got called with the wrong pointer,
instead of passing the actual buffer ptr to copy from, a pointer to
the pointer got passed, which causes a buffer overflow calltrace to pop
up when executing "ethtool -x ethX".

Fix ethtool_rxnfc_copy_to_user() to use the rxnfc pointer as passed
to the function, instead of a pointer to it.

This fixes below call trace:
[   15.533533] ------------[ cut here ]------------
[   15.539007] Buffer overflow detected (8 < 192)!
[   15.544110] WARNING: CPU: 3 PID: 1801 at include/linux/thread_info.h:200 copy_overflow+0x15/0x20
[   15.549308] Modules linked in:
[   15.551449] CPU: 3 PID: 1801 Comm: ethtool Not tainted 5.14.0-rc2+ #1058
[   15.553919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[   15.558378] RIP: 0010:copy_overflow+0x15/0x20
[   15.560648] Code: e9 7c ff ff ff b8 a1 ff ff ff eb c4 66 0f 1f 84 00 00 00 00 00 55 48 89 f2 89 fe 48 c7 c7 88 55 78 8a 48 89 e5 e8 06 5c 1e 00 <0f> 0b 5d c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55
[   15.565114] RSP: 0018:ffffad49c0523bd0 EFLAGS: 00010286
[   15.566231] RAX: 0000000000000000 RBX: 00000000000000c0 RCX: 0000000000000000
[   15.567616] RDX: 0000000000000001 RSI: ffffffff8a7912e7 RDI: 00000000ffffffff
[   15.569050] RBP: ffffad49c0523bd0 R08: ffffffff8ab2ae28 R09: 00000000ffffdfff
[   15.570534] R10: ffffffff8aa4ae40 R11: ffffffff8aa4ae40 R12: 0000000000000000
[   15.571899] R13: 00007ffd4cc2a230 R14: ffffad49c0523c00 R15: 0000000000000000
[   15.573584] FS:  00007f538112f740(0000) GS:ffff96d5bdd80000(0000) knlGS:0000000000000000
[   15.575639] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.577092] CR2: 00007f5381226d40 CR3: 0000000013542000 CR4: 00000000001506e0
[   15.578929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   15.580695] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   15.582441] Call Trace:
[   15.582970]  ethtool_rxnfc_copy_to_user+0x30/0x46
[   15.583815]  ethtool_get_rxnfc.cold+0x23/0x2b
[   15.584584]  dev_ethtool+0x29c/0x25f0
[   15.585286]  ? security_netlbl_sid_to_secattr+0x77/0xd0
[   15.586728]  ? do_set_pte+0xc4/0x110
[   15.587349]  ? _raw_spin_unlock+0x18/0x30
[   15.588118]  ? __might_sleep+0x49/0x80
[   15.588956]  dev_ioctl+0x2c1/0x490
[   15.589616]  sock_ioctl+0x18e/0x330
[   15.591143]  __x64_sys_ioctl+0x41c/0x990
[   15.591823]  ? irqentry_exit_to_user_mode+0x9/0x20
[   15.592657]  ? irqentry_exit+0x33/0x40
[   15.593308]  ? exc_page_fault+0x32f/0x770
[   15.593877]  ? exit_to_user_mode_prepare+0x3c/0x130
[   15.594775]  do_syscall_64+0x35/0x80
[   15.595397]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   15.596037] RIP: 0033:0x7f5381226d4b
[   15.596492] Code: 0f 1e fa 48 8b 05 3d b1 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0d b1 0c 00 f7 d8 64 89 01 48
[   15.598743] RSP: 002b:00007ffd4cc2a1f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   15.599804] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5381226d4b
[   15.600795] RDX: 00007ffd4cc2a350 RSI: 0000000000008946 RDI: 0000000000000003
[   15.601712] RBP: 00007ffd4cc2a340 R08: 00007ffd4cc2a350 R09: 0000000000000001
[   15.602751] R10: 00007f538128a990 R11: 0000000000000246 R12: 0000000000000000
[   15.603882] R13: 00007ffd4cc2a350 R14: 00007ffd4cc2a4b0 R15: 0000000000000000
[   15.605042] ---[ end trace 325cf185e2795048 ]---

Fixes: dd98d2895de6 ("ethtool: improve compat ioctl handling")
Reported-by: Shannon Nelson <snelson@pensando.io>
CC: Arnd Bergmann <arnd@arndb.de>
CC: Christoph Hellwig <hch@lst.de>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
---
 net/ethtool/ioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 6134b180f59f..af011534bcb2 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -906,7 +906,7 @@ static int ethtool_rxnfc_copy_to_user(void __user *useraddr,
 						   rule_buf);
 		useraddr += offsetof(struct compat_ethtool_rxnfc, rule_locs);
 	} else {
-		ret = copy_to_user(useraddr, &rxnfc, size);
+		ret = copy_to_user(useraddr, rxnfc, size);
 		useraddr += offsetof(struct ethtool_rxnfc, rule_locs);
 	}
 
-- 
2.31.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow
  2021-07-26 22:15 [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow Saeed Mahameed
@ 2021-07-26 23:38 ` Shannon Nelson
  2021-07-27  9:03 ` Arnd Bergmann
  2021-07-27 10:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Shannon Nelson @ 2021-07-26 23:38 UTC (permalink / raw)
  To: Saeed Mahameed, David S. Miller, Jakub Kicinski
  Cc: netdev, Saeed Mahameed, Arnd Bergmann, Christoph Hellwig

On 7/26/21 3:15 PM, Saeed Mahameed wrote:
> From: Saeed Mahameed <saeedm@nvidia.com>
>
> In the cited commit, copy_to_user() got called with the wrong pointer,
> instead of passing the actual buffer ptr to copy from, a pointer to
> the pointer got passed, which causes a buffer overflow calltrace to pop
> up when executing "ethtool -x ethX".
>
> Fix ethtool_rxnfc_copy_to_user() to use the rxnfc pointer as passed
> to the function, instead of a pointer to it.
>
> This fixes below call trace:
> [   15.533533] ------------[ cut here ]------------
> [   15.539007] Buffer overflow detected (8 < 192)!
> [   15.544110] WARNING: CPU: 3 PID: 1801 at include/linux/thread_info.h:200 copy_overflow+0x15/0x20
> [   15.549308] Modules linked in:
> [   15.551449] CPU: 3 PID: 1801 Comm: ethtool Not tainted 5.14.0-rc2+ #1058
> [   15.553919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> [   15.558378] RIP: 0010:copy_overflow+0x15/0x20
> [   15.560648] Code: e9 7c ff ff ff b8 a1 ff ff ff eb c4 66 0f 1f 84 00 00 00 00 00 55 48 89 f2 89 fe 48 c7 c7 88 55 78 8a 48 89 e5 e8 06 5c 1e 00 <0f> 0b 5d c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55
> [   15.565114] RSP: 0018:ffffad49c0523bd0 EFLAGS: 00010286
> [   15.566231] RAX: 0000000000000000 RBX: 00000000000000c0 RCX: 0000000000000000
> [   15.567616] RDX: 0000000000000001 RSI: ffffffff8a7912e7 RDI: 00000000ffffffff
> [   15.569050] RBP: ffffad49c0523bd0 R08: ffffffff8ab2ae28 R09: 00000000ffffdfff
> [   15.570534] R10: ffffffff8aa4ae40 R11: ffffffff8aa4ae40 R12: 0000000000000000
> [   15.571899] R13: 00007ffd4cc2a230 R14: ffffad49c0523c00 R15: 0000000000000000
> [   15.573584] FS:  00007f538112f740(0000) GS:ffff96d5bdd80000(0000) knlGS:0000000000000000
> [   15.575639] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   15.577092] CR2: 00007f5381226d40 CR3: 0000000013542000 CR4: 00000000001506e0
> [   15.578929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   15.580695] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   15.582441] Call Trace:
> [   15.582970]  ethtool_rxnfc_copy_to_user+0x30/0x46
> [   15.583815]  ethtool_get_rxnfc.cold+0x23/0x2b
> [   15.584584]  dev_ethtool+0x29c/0x25f0
> [   15.585286]  ? security_netlbl_sid_to_secattr+0x77/0xd0
> [   15.586728]  ? do_set_pte+0xc4/0x110
> [   15.587349]  ? _raw_spin_unlock+0x18/0x30
> [   15.588118]  ? __might_sleep+0x49/0x80
> [   15.588956]  dev_ioctl+0x2c1/0x490
> [   15.589616]  sock_ioctl+0x18e/0x330
> [   15.591143]  __x64_sys_ioctl+0x41c/0x990
> [   15.591823]  ? irqentry_exit_to_user_mode+0x9/0x20
> [   15.592657]  ? irqentry_exit+0x33/0x40
> [   15.593308]  ? exc_page_fault+0x32f/0x770
> [   15.593877]  ? exit_to_user_mode_prepare+0x3c/0x130
> [   15.594775]  do_syscall_64+0x35/0x80
> [   15.595397]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> [   15.596037] RIP: 0033:0x7f5381226d4b
> [   15.596492] Code: 0f 1e fa 48 8b 05 3d b1 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0d b1 0c 00 f7 d8 64 89 01 48
> [   15.598743] RSP: 002b:00007ffd4cc2a1f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> [   15.599804] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5381226d4b
> [   15.600795] RDX: 00007ffd4cc2a350 RSI: 0000000000008946 RDI: 0000000000000003
> [   15.601712] RBP: 00007ffd4cc2a340 R08: 00007ffd4cc2a350 R09: 0000000000000001
> [   15.602751] R10: 00007f538128a990 R11: 0000000000000246 R12: 0000000000000000
> [   15.603882] R13: 00007ffd4cc2a350 R14: 00007ffd4cc2a4b0 R15: 0000000000000000
> [   15.605042] ---[ end trace 325cf185e2795048 ]---
>
> Fixes: dd98d2895de6 ("ethtool: improve compat ioctl handling")
> Reported-by: Shannon Nelson <snelson@pensando.io>
> CC: Arnd Bergmann <arnd@arndb.de>
> CC: Christoph Hellwig <hch@lst.de>
> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>

Thanks!

Tested-by: Shannon Nelson <snelson@pensando.io>

> ---
>   net/ethtool/ioctl.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
> index 6134b180f59f..af011534bcb2 100644
> --- a/net/ethtool/ioctl.c
> +++ b/net/ethtool/ioctl.c
> @@ -906,7 +906,7 @@ static int ethtool_rxnfc_copy_to_user(void __user *useraddr,
>   						   rule_buf);
>   		useraddr += offsetof(struct compat_ethtool_rxnfc, rule_locs);
>   	} else {
> -		ret = copy_to_user(useraddr, &rxnfc, size);
> +		ret = copy_to_user(useraddr, rxnfc, size);
>   		useraddr += offsetof(struct ethtool_rxnfc, rule_locs);
>   	}
>   


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow
  2021-07-26 22:15 [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow Saeed Mahameed
  2021-07-26 23:38 ` Shannon Nelson
@ 2021-07-27  9:03 ` Arnd Bergmann
  2021-07-27 10:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Arnd Bergmann @ 2021-07-27  9:03 UTC (permalink / raw)
  To: Saeed Mahameed
  Cc: David S. Miller, Jakub Kicinski, Networking, Saeed Mahameed,
	Shannon Nelson, Arnd Bergmann, Christoph Hellwig

On Tue, Jul 27, 2021 at 12:15 AM Saeed Mahameed <saeed@kernel.org> wrote:
> Fixes: dd98d2895de6 ("ethtool: improve compat ioctl handling")
> Reported-by: Shannon Nelson <snelson@pensando.io>
> CC: Arnd Bergmann <arnd@arndb.de>
> CC: Christoph Hellwig <hch@lst.de>
> Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>

Thanks a lot for the fix

Acked-by: Arnd Bergmann <arnd@arndb.de>

         Arnd

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow
  2021-07-26 22:15 [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow Saeed Mahameed
  2021-07-26 23:38 ` Shannon Nelson
  2021-07-27  9:03 ` Arnd Bergmann
@ 2021-07-27 10:20 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-07-27 10:20 UTC (permalink / raw)
  To: Saeed Mahameed; +Cc: davem, kuba, netdev, saeedm, snelson, arnd, hch

Hello:

This patch was applied to netdev/net-next.git (refs/heads/master):

On Mon, 26 Jul 2021 15:15:39 -0700 you wrote:
> From: Saeed Mahameed <saeedm@nvidia.com>
> 
> In the cited commit, copy_to_user() got called with the wrong pointer,
> instead of passing the actual buffer ptr to copy from, a pointer to
> the pointer got passed, which causes a buffer overflow calltrace to pop
> up when executing "ethtool -x ethX".
> 
> [...]

Here is the summary with links:
  - [net-next] ethtool: Fix rxnfc copy to user buffer overflow
    https://git.kernel.org/netdev/net-next/c/9b29a161ef38

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-07-27 10:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-26 22:15 [PATCH net-next] ethtool: Fix rxnfc copy to user buffer overflow Saeed Mahameed
2021-07-26 23:38 ` Shannon Nelson
2021-07-27  9:03 ` Arnd Bergmann
2021-07-27 10:20 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).