leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2c05d88818
linux/drivers/net/ethernet
History
Wenwen Wang 2c05d88818 net: cxgb3_main: fix a missing-check bug 
In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
the user-space buffer 'useraddr' to 'cmd' and checked through the
switch statement. If the command is not as expected, an error code
EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
switch statement, the whole buffer of 'useraddr' is copied again to a
specific data structure, according to what kind of command is requested.
However, after the second copy, there is no re-check on the newly-copied
command. Given that the buffer 'useraddr' is in the user space, a malicious
user can race to change the command between the two copies. By doing so,
the attacker can supply malicious data to the kernel and cause undefined
behavior.

This patch adds a re-check in each case of the switch statement if there is
a second copy in that case, to re-check whether the command obtained in the
second copy is the same as the one in the first copy. If not, an error code
EINVAL is returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-10-05 11:47:19 -07:00
..
3com net: prevent ISA drivers from building on PPC32 2018-07-22 11:12:29 -07:00
8390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-08-15 15:04:25 -07:00
adaptec net: adaptec: Replace mdelay() with msleep() in starfire_init_one() 2018-07-26 21:24:23 -07:00
aeroflex
agere
alacritech
allwinner
alteon alteon: acenic: mark expected switch fall-through 2018-08-07 17:54:19 -07:00
altera
amazon net: ena: remove ndo_poll_controller 2018-09-28 11:12:29 -07:00
amd declance: Fix continuation with the adapter identification message 2018-10-02 11:31:54 -07:00
apm ACPI: Convert ACPI reference args to generic fwnode reference args 2018-07-23 12:44:52 +02:00
apple net: apple: fix return type of ndo_start_xmit function 2018-09-21 19:15:15 -07:00
aquantia net: aquantia: memory corruption on jumbo frames 2018-09-23 22:25:25 -07:00
arc
atheros Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-07-24 19:21:58 -07:00
aurora net: ethernet: Make NET_VENDOR_AURORA default to yes 2018-07-05 20:05:54 +09:00
broadcom bnxt_en: get the reduced max_irqs by the ones used by RDMA 2018-10-04 21:41:16 -07:00
brocade
cadence net: macb: Clean 64b dma addresses if they are not detected 2018-09-25 10:33:52 -07:00
calxeda Merge 4.18-rc5 into char-misc-next 2018-07-16 09:04:54 +02:00
cavium liquidio: remove set but not used variable 'is25G' 2018-08-13 09:21:05 -07:00
chelsio net: cxgb3_main: fix a missing-check bug 2018-10-05 11:47:19 -07:00
cirrus net: cirrus: fix return type of ndo_start_xmit function 2018-09-21 19:15:14 -07:00
cisco net: cisco: enic: Replace GFP_ATOMIC with GFP_KERNEL 2018-08-04 13:08:06 -07:00
cortina net: gemini: Indicate that we can handle jumboframes 2018-07-12 17:39:15 -07:00
davicom
dec net: tulip: de4x5: mark expected switch fall-throughs 2018-08-07 17:54:19 -07:00
dlink
emulex be2net: don't flip hw_features when VXLANs are added/deleted 2018-10-05 00:59:21 -07:00
ezchip
faraday headers: separate linux/mod_devicetable.h from linux/platform_device.h 2018-07-07 17:52:26 +02:00
freescale net: fec: fix rare tx timeout 2018-10-02 11:27:10 -07:00
fujitsu
hisilicon net: hns: remove ndo_poll_controller 2018-09-28 11:12:28 -07:00
hp net: hp100: fix always-true check for link up state 2018-09-17 07:55:19 -07:00
huawei hinic: remove ndo_poll_controller 2018-09-28 11:12:28 -07:00
i825xx net: i825xx: fix return type of ndo_start_xmit function 2018-09-21 19:15:15 -07:00
ibm ibmvnic: remove ndo_poll_controller 2018-09-28 11:12:29 -07:00
intel ixgbe: check return value of napi_complete_done() 2018-10-03 14:40:32 -07:00
marvell net: mvneta: fix the remaining Rx descriptor unmapping issues 2018-09-24 12:27:28 -07:00
mediatek net-next: mediatek: cleanup unnecessary get chip id and its user 2018-07-29 13:15:57 -07:00
mellanox mlxsw: spectrum: Delete RIF when VLAN device is removed 2018-10-04 09:53:03 -07:00
micrel Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2018-08-15 16:01:47 -07:00
microchip net: ethernet: Fix a unused function warning. 2018-09-17 08:24:25 -07:00
moxa
mscc net: mscc: fix the frame extraction into the skb 2018-09-21 09:07:50 -07:00
myricom
natsemi
neterion vxge: remove set but not used variable 'req_out', 'status' and 'ret' 2018-08-11 12:05:19 -07:00
netronome nfp: avoid soft lockups under control message storm 2018-10-02 11:47:58 -07:00
ni net: nixge: Don't store skb in app4 field of descriptor 2018-08-13 08:49:37 -07:00
nuvoton
nvidia net: nvidia: forcedeth: Replace GFP_ATOMIC with GFP_KERNEL in nv_probe() 2018-07-27 13:45:14 -07:00
nxp
oki-semi
packetengines net: ethernet: Add missing VENDOR to Cadence and Packet Engines symbols 2018-07-05 20:05:54 +09:00
pasemi
qlogic qlcnic: fix Tx descriptor corruption on 82xx devices 2018-09-29 11:46:07 -07:00
qualcomm net: qualcomm: rmnet: Fix incorrect allocation flag in receive path 2018-10-02 22:16:00 -07:00
rdc
realtek r8169: always autoneg on resume 2018-10-02 22:33:43 -07:00
renesas ravb: do not write 1 to reserved bits 2018-09-18 20:09:57 -07:00
rocker
samsung net: ethernet: sxgbe: mark expected switch fall-throughs 2018-08-07 17:54:20 -07:00
seeq net: seeq: fix return type of ndo_start_xmit function 2018-09-21 19:15:14 -07:00
sfc sfc-falcon: remove ndo_poll_controller 2018-09-28 11:12:29 -07:00
sgi net: sgi: fix return type of ndo_start_xmit function 2018-09-21 19:15:14 -07:00
silan
sis
smsc ARM: 32-bit SoC platform updates 2018-08-23 13:44:43 -07:00
socionext net: socionext: Increase descriptors to 256 2018-08-11 12:11:36 -07:00
stmicro net: stmmac: Fixup the tail addr setting in xmit path 2018-09-18 19:48:08 -07:00
sun net: allow ndo_select_queue to pass netdev 2018-07-09 13:41:34 -07:00
synopsys net: ethernet: Use existing define with polynomial 2018-07-27 19:16:37 +08:00
tehuti net: tehuti: remove redundant pointer skb 2018-07-05 19:33:39 +09:00
ti net: ethernet: ti: add missing GENERIC_ALLOCATOR dependency 2018-09-17 07:49:33 -07:00
toshiba
tundra
via
wiznet net: wiznet: fix return type of ndo_start_xmit function 2018-09-21 19:15:15 -07:00
xilinx Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net 2018-07-24 19:21:58 -07:00
xircom
xscale
dnet.c
dnet.h
ec_bhf.c
ethoc.c
fealnx.c
jme.c net: jme: Replace mdelay() with msleep() and usleep_range() in jme_wait_link() 2018-07-27 13:45:14 -07:00
jme.h
Kconfig net: change Exar/Neterion menu items to be alphabetical 2018-08-01 09:49:02 -07:00
korina.c
lantiq_etop.c MIPS: lantiq: dma: add dev pointer 2018-09-11 23:33:19 -07:00
Makefile net: change Exar/Neterion menu items to be alphabetical 2018-08-01 09:49:02 -07:00
netx-eth.c