• Vivien Didelot's avatar
    ethtool: fix potential userspace buffer overflow · 0ee4e769
    Vivien Didelot authored
    ethtool_get_regs() allocates a buffer of size ops->get_regs_len(),
    and pass it to the kernel driver via ops->get_regs() for filling.
    
    There is no restriction about what the kernel drivers can or cannot do
    with the open ethtool_regs structure. They usually set regs->version
    and ignore regs->len or set it to the same size as ops->get_regs_len().
    
    But if userspace allocates a smaller buffer for the registers dump,
    we would cause a userspace buffer overflow in the final copy_to_user()
    call, which uses the regs.len value potentially reset by the driver.
    
    To fix this, make this case obvious and store regs.len before calling
    ops->get_regs(), to only copy as much data as requested by userspace,
    up to the value returned by ops->get_regs_len().
    
    While at it, remove the redundant check for non-null regbuf.
    Signed-off-by: default avatarVivien Didelot <vivien.didelot@gmail.com>
    Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    0ee4e769
ethtool.c 78.8 KB