ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH

commit bf988435bd5b53529f4408a8efb1f433f6ddfda9 upstream.

struct ethtool_rxnfc was originally defined in 2.6.27 for the
ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data
fields.  It was then extended in 2.6.30 to support various additional
commands.  These commands should have been defined to use a new
structure, but it is too late to change that now.

Since user-space may still be using the old structure definition
for the ETHTOOL_{G,S}RXFH commands, and since they do not need the
additional fields, only copy the originally defined fields to and
from user-space.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/include/linux/ethtool.h b/include/linux/ethtool.h
index ef4a2d84d922166eec5f5a39a5250442d4eef4a4..03c52fa625d992d630b1807585401aa36a2df4e6 100644 (file)
--- a/include/linux/ethtool.h
+++ b/include/linux/ethtool.h
@@ -358,6 +358,8 @@ struct ethtool_rxnfc {
        __u32                           flow_type;
        /* The rx flow hash value or the rule DB size */
        __u64                           data;
+       /* The following fields are not valid and must not be used for
+        * the ETHTOOL_{G,X}RXFH commands. */
        struct ethtool_rx_flow_spec     fs;
        __u32                           rule_cnt;
        __u32                           rule_locs[0];

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 65a9b2ef6455227056b766bef0c5d0e0eb06291a..ed2fb75e0d00c5dd15257fb218b55e3856de40a4 100644 (file)
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -209,22 +209,34 @@ static int ethtool_get_drvinfo(struct net_device *dev, void __user *useraddr)
        return 0;
 }
 
-static int ethtool_set_rxnfc(struct net_device *dev, void __user *useraddr)
+static int ethtool_set_rxnfc(struct net_device *dev,
+                            u32 cmd, void __user *useraddr)
 {
-       struct ethtool_rxnfc cmd;
+       struct ethtool_rxnfc info;
+       size_t info_size = sizeof(info);
 
        if (!dev->ethtool_ops->set_rxnfc)
                return -EOPNOTSUPP;
 
-       if (copy_from_user(&cmd, useraddr, sizeof(cmd)))
+       /* struct ethtool_rxnfc was originally defined for
+        * ETHTOOL_{G,S}RXFH with only the cmd, flow_type and data
+        * members.  User-space might still be using that
+        * definition. */
+       if (cmd == ETHTOOL_SRXFH)
+               info_size = (offsetof(struct ethtool_rxnfc, data) +
+                            sizeof(info.data));
+
+       if (copy_from_user(&info, useraddr, info_size))
                return -EFAULT;
 
-       return dev->ethtool_ops->set_rxnfc(dev, &cmd);
+       return dev->ethtool_ops->set_rxnfc(dev, &info);
 }
 
-static int ethtool_get_rxnfc(struct net_device *dev, void __user *useraddr)
+static int ethtool_get_rxnfc(struct net_device *dev,
+                            u32 cmd, void __user *useraddr)
 {
        struct ethtool_rxnfc info;
+       size_t info_size = sizeof(info);
        const struct ethtool_ops *ops = dev->ethtool_ops;
        int ret;
        void *rule_buf = NULL;
@@ -232,7 +244,15 @@ static int ethtool_get_rxnfc(struct net_device *dev, void __user *useraddr)
        if (!ops->get_rxnfc)
                return -EOPNOTSUPP;
 
-       if (copy_from_user(&info, useraddr, sizeof(info)))
+       /* struct ethtool_rxnfc was originally defined for
+        * ETHTOOL_{G,S}RXFH with only the cmd, flow_type and data
+        * members.  User-space might still be using that
+        * definition. */
+       if (cmd == ETHTOOL_GRXFH)
+               info_size = (offsetof(struct ethtool_rxnfc, data) +
+                            sizeof(info.data));
+
+       if (copy_from_user(&info, useraddr, info_size))
                return -EFAULT;
 
        if (info.cmd == ETHTOOL_GRXCLSRLALL) {
@@ -250,7 +270,7 @@ static int ethtool_get_rxnfc(struct net_device *dev, void __user *useraddr)
                goto err_out;
 
        ret = -EFAULT;
-       if (copy_to_user(useraddr, &info, sizeof(info)))
+       if (copy_to_user(useraddr, &info, info_size))
                goto err_out;
 
        if (rule_buf) {
@@ -1095,12 +1115,12 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        case ETHTOOL_GRXCLSRLCNT:
        case ETHTOOL_GRXCLSRULE:
        case ETHTOOL_GRXCLSRLALL:
-               rc = ethtool_get_rxnfc(dev, useraddr);
+               rc = ethtool_get_rxnfc(dev, ethcmd, useraddr);
                break;
        case ETHTOOL_SRXFH:
        case ETHTOOL_SRXCLSRLDEL:
        case ETHTOOL_SRXCLSRLINS:
-               rc = ethtool_set_rxnfc(dev, useraddr);
+               rc = ethtool_set_rxnfc(dev, ethcmd, useraddr);
                break;
        case ETHTOOL_GGRO:
                rc = ethtool_get_gro(dev, useraddr);