• Wenwen Wang's avatar
    net: cxgb3_main: fix a missing-check bug · 2c05d888
    Wenwen Wang authored
    In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
    the user-space buffer 'useraddr' to 'cmd' and checked through the
    switch statement. If the command is not as expected, an error code
    EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
    switch statement, the whole buffer of 'useraddr' is copied again to a
    specific data structure, according to what kind of command is requested.
    However, after the second copy, there is no re-check on the newly-copied
    command. Given that the buffer 'useraddr' is in the user space, a malicious
    user can race to change the command between the two copies. By doing so,
    the attacker can supply malicious data to the kernel and cause undefined
    behavior.
    
    This patch adds a re-check in each case of the switch statement if there is
    a second copy in that case, to re-check whether the command obtained in the
    second copy is the same as the one in the first copy. If not, an error code
    EINVAL is returned.
    Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2c05d888
cxgb3_main.c 87.4 KB