[34-longterm 198/260] net: clear heap allocations for privileged ethtool actions

From: Paul Gortmaker
Date: Sun Jan 02 2011 - 02:39:56 EST

From: Kees Cook <kees.cook@xxxxxxxxxxxxx>

commit b00916b189d13a615ff05c9242201135992fcda3 upstream.

Several other ethtool functions leave heap uncleared (potentially) by
drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
are well controlled. In some situations (e.g. unchecked error conditions),
the heap will remain unchanged in areas before copying back to userspace.
Note that these are less of an issue since these all require CAP_NET_ADMIN.

[PG: 34 doesn't have ethtool_get_rxnfc(), drop that chunk]

Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx>
Acked-by: Ben Hutchings <bhutchings@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Paul Gortmaker <paul.gortmaker@xxxxxxxxxxxxx>
net/core/ethtool.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index f4d6a12..5328c62 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -464,7 +464,7 @@ static int ethtool_get_rx_ntuple(struct net_device *dev, void __user *useraddr)

gstrings.len = ret;

- data = kmalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER);
+ data = kzalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER);
if (!data)
return -ENOMEM;

@@ -701,7 +701,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
if (regs.len > reglen)
regs.len = reglen;

- regbuf = kmalloc(reglen, GFP_USER);
+ regbuf = kzalloc(reglen, GFP_USER);
if (!regbuf)
return -ENOMEM;


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/