korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-16 08:44:21 +08:00
Code Issues Packages Projects Releases Wiki Activity
2bb3207dbb
linux/net
History
Wenwen Wang 2bb3207dbb ethtool: fix a missing-check bug 
In ethtool_get_rxnfc(), the eth command 'cmd' is compared against
'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable
'info_size'. Then the whole structure of 'info' is copied from the
user-space buffer 'useraddr' with 'info_size' bytes. In the following
execution, 'info' may be copied again from the buffer 'useraddr' depending
on the 'cmd' and the 'info.flow_type'. However, after these two copies,
there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also
copied from the buffer 'useraddr' in dev_ethtool(), which is the caller
function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user
space, a malicious user can race to change the eth command in the buffer
between these copies. By doing so, the attacker can supply inconsistent
data and cause undefined behavior because in the following execution 'info'
will be passed to ops->get_rxnfc().

This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that
they are still same after the two copies in ethtool_get_rxnfc(). Otherwise,
an error code EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-15 21:37:01 -07:00
..
6lowpan 6lowpan: iphc: reset mac_header after decompress to fix panic 2018-07-06 12:32:12 +02:00
9p Pull request for inclusion in 4.19, take two 2018-08-17 17:27:58 -07:00
802
8021q net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
appletalk Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-08-15 15:04:25 -07:00
ax25 ax25: remove blank line at EOF 2018-07-24 14:10:42 -07:00
batman-adv batman-adv: Increase version number to 2018.3 2018-09-14 17:59:20 +02:00
bluetooth Bluetooth: SMP: fix crash in unpairing 2018-09-26 12:39:32 +03:00
bpf bpf/test_run: support cgroup local storage 2018-08-03 00:47:32 +02:00
bpfilter net: bpfilter: Fix type cast and pointer warnings 2018-10-05 11:51:06 -07:00
bridge netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev 2018-09-20 18:24:14 +02:00
caif net: simplify sock_poll_wait 2018-07-30 09:10:25 -07:00
can Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
ceph crush: fix using plain integer as NULL warning 2018-08-13 17:55:44 +02:00
core ethtool: fix a missing-check bug 2018-10-15 21:37:01 -07:00
dcb net: dcb: Add priority-to-DSCP map getters 2018-07-27 13:17:50 -07:00
dccp inet: make sure to grab rcu_read_lock before using ireq->ireq_opt 2018-10-02 15:52:12 -07:00
decnet decnet: fix using plain integer as NULL warning 2018-08-09 14:11:24 -07:00
dns_resolver net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
dsa net: dsa: Drop GPIO includes 2018-08-27 15:24:33 -07:00
ethernet net: Convert GRO SKB handling to list_head. 2018-06-26 11:33:04 +09:00
hsr
ieee802154 net: ieee802154: 6lowpan: remove redundant pointers 'fq' and 'net' 2018-08-06 11:21:15 +02:00
ife
ipv4 net: ipv4: don't let PMTU updates increase route MTU 2018-10-10 22:44:46 -07:00
ipv6 net/ipv6: stop leaking percpu memory in fib6 info 2018-10-10 22:42:54 -07:00
iucv net/iucv: declare iucv_path_table_empty() as static 2018-09-05 22:32:22 -07:00
kcm Revert "kcm: remove any offset before parsing messages" 2018-09-17 18:43:42 -07:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2018-07-27 09:33:37 -07:00
l2tp l2tp: fix unused function warning 2018-08-13 20:45:49 -07:00
l3mdev
lapb
llc Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-08-09 11:52:36 -07:00
mac80211 mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys 2018-10-01 09:13:48 +02:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-08-06 11:21:37 +02:00
mpls mpls: allow routes on ip6gre devices 2018-09-24 12:19:27 -07:00
ncsi net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler 2018-08-22 21:39:08 -07:00
netfilter netfilter: xt_socket: check sk before checking for netns. 2018-09-28 14:47:41 +02:00
netlabel netlabel: check for IPV4MASK in addrinfo_get 2018-09-21 18:58:34 -07:00
netlink Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-08-05 13:04:31 -07:00
netrom Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
nfc NFC: Fix possible memory corruption when handling SHDLC I-Frame commands 2018-09-18 19:55:01 -07:00
nsh nsh: set mac len based on inner packet 2018-07-12 16:55:29 -07:00
openvswitch openvswitch: load NAT helper 2018-10-04 21:45:16 -07:00
packet net/packet: fix packet drop as of virtio gso 2018-10-04 22:23:15 -07:00
phonet Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
psample
qrtr net: qrtr: Reset the node and port ID of broadcast messages 2018-07-05 20:20:03 +09:00
rds rds: RDS (tcp) hangs on sendto() to unresponding address 2018-10-10 22:19:52 -07:00
rfkill Here are quite a large number of fixes, notably: 2018-09-03 22:12:02 -07:00
rose Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
rxrpc rxrpc: Fix the packet reception routine 2018-10-08 22:42:04 +01:00
sched Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-10-12 09:01:59 +02:00
sctp sctp: fix fall-through annotation 2018-10-03 09:33:13 -07:00
smc smc: generic netlink family should be __ro_after_init 2018-09-20 07:49:55 -07:00
strparser strparser: remove redundant variable 'rd_desc' 2018-08-01 10:00:06 -07:00
sunrpc NFS client updates for Linux 4.19 2018-08-23 16:03:58 -07:00
switchdev
tipc tipc: eliminate possible recursive locking detected by LOCKDEP 2018-10-11 10:23:48 -07:00
tls tls: fix currently broken MSG_PEEK behavior 2018-09-17 08:03:09 -07:00
unix af_unix: ensure POLLOUT on remote close() for connected dgram socket 2018-08-03 16:44:19 -07:00
vmw_vsock vsock: split dwork to avoid reinitializations 2018-08-07 12:39:13 -07:00
wimax wimax: remove blank lines at EOF 2018-07-24 14:10:42 -07:00
wireless cfg80211: fix use-after-free in reg_process_hint() 2018-10-01 09:14:03 +02:00
x25 x25: remove blank lines at EOF 2018-07-24 14:10:42 -07:00
xdp xsk: do not call synchronize_net() under RCU read lock 2018-10-11 10:19:01 +02:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2018-10-01 22:29:25 -07:00
compat.c net: avoid unnecessary sock_flag() check when enable timestamp 2018-08-06 10:42:48 -07:00
Kconfig net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
Makefile bpfilter: check compiler capability in Kconfig 2018-06-28 13:36:39 +09:00
socket.c socket: fix struct ifreq size in compat ioctl 2018-09-13 16:01:06 -07:00
sysctl_net.c