Re: [PATCH net-next] ethtool: copy reglen to userspace

From: Michal Kubecek
Date: Thu May 30 2019 - 04:31:00 EST

Next message: Ondrej Mosnacek: "Re: [PATCH] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()"
Previous message: Alexey Budankov: "Re: [PATCH v4] perf record: collect user registers set jointly with dwarf stacks"
In reply to: Michal Kubecek: "Re: [PATCH net-next] ethtool: copy reglen to userspace"
Next in thread: David Miller: "Re: [PATCH net-next] ethtool: copy reglen to userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 30, 2019 at 08:48:48AM +0200, Michal Kubecek wrote:
> On Wed, May 29, 2019 at 10:17:44PM -0700, David Miller wrote:
> > From: Vivien Didelot <vivien.didelot@xxxxxxxxx>
> > Date: Tue, 28 May 2019 16:58:48 -0400
> >
> > > ethtool_get_regs() allocates a buffer of size reglen obtained from
> > > ops->get_regs_len(), thus only this value must be used when copying
> > > the buffer back to userspace. Also no need to check regbuf twice.
> > >
> > > Signed-off-by: Vivien Didelot <vivien.didelot@xxxxxxxxx>
> >
> > Hmmm, can't regs.len be modified by the driver potentially?
>
> The driver certainly shouldn't raise it as that could result in kernel
> writing past the buffer provided by userspace. (I'll check some drivers
> to see if they truncate the dump or return an error if regs.len from
> userspace is insufficient.) And lowering it would be also wrong as that
> would mean dump would be shorter than what ops->get_regs_len() returned.

I looked around a bit. First of all, the driver cannot actually return
error as ethtool_ops::get_regs() returns void. Most drivers do not touch
regs->len and only fill data and possibly regs->version which is fine.

There are few drivers which modify regs->len:

s2io_ethtool_gdrvinfo() neterion/s2io
vxge_ethtool_gregs() neterion/vxge
ixgb_get_regs() intel/ixgb
emac_get_regs_len() qualcomm/emac
ql_get_regs() qlogic/qlge
axienet_ethtools_get_regs() xilinx/axienet

All of these set regs->len to the same value as ->get_regs_len() returns
(ixgb does it in rather fragile way). This means that if userspace
passes insufficient buffer size, current code would write pass that
buffer; but proposed patch would make things worse as with it, kernel
would always write past the userspace buffer in such case.

Note: ieee80211_get_regs() in net/mac80211/ethtool.c also sets regs->len
but it always sets it to 0 which is also what ->get_regs_len() returns
so that it does not actually modify the value.

I believe this should be handled by ethtool_get_regs(), either by
returning an error or by only copying data up to original regs.len
passed by userspace. The former seems more correct but broken userspace
software would suddenly start to fail where it "used to work". The
latter would be closer to current behaviour but it would mean that
broken userspace software might nerver notice there is something wrong.

Michal Kubecek

Next message: Ondrej Mosnacek: "Re: [PATCH] hooks: fix a missing-check bug in selinux_sb_eat_lsm_opts()"
Previous message: Alexey Budankov: "Re: [PATCH v4] perf record: collect user registers set jointly with dwarf stacks"
In reply to: Michal Kubecek: "Re: [PATCH net-next] ethtool: copy reglen to userspace"
Next in thread: David Miller: "Re: [PATCH net-next] ethtool: copy reglen to userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]