git.neil.brown.name Git - history.git/commit

author	Chris Wright <chrisw@osdl.org>
	Mon, 19 Apr 2004 08:46:18 +0000 (04:46 -0400)
committer	Linus Torvalds <torvalds@ppc970.osdl.org>
	Mon, 19 Apr 2004 08:46:18 +0000 (04:46 -0400)
commit	bf31652c0229b2724679e94db2e0d5f8c0a26756
tree	11e2941ff02e96d10e5b5d5eb0eccc92bd0b6d47	tree \| snapshot
parent	27de746666f2ed03e0173f84b7e6ec7c751e4bbb	commit \| diff

[PATCH] e1000: fix probable security hole

* Ken Ashcraft (ken@coverity.com) wrote:
> [BUG]
> /home/kash/linux/linux-2.6.5/drivers/net/e1000/e1000_ethtool.c:1494:e1000_ethtool_ioctl: ERROR:TAINT: 1487:1494:Passing unbounded user value "(regs).len" as arg 2 to function "copy_to_user", which uses it unsafely in model [SOURCE_MODEL=(lib,copy_from_user,user,taintscalar)] [SINK_MODEL=(lib,copy_to_user,user,trustingsink)] [PATH=]
> }
> case ETHTOOL_GREGS: {
> struct ethtool_regs regs = {ETHTOOL_GREGS};
> uint32_t regs_buff[E1000_REGS_LEN];
>
> Start --->
> if(copy_from_user(&regs, addr, sizeof(regs)))
> return -EFAULT;
> e1000_ethtool_gregs(adapter, &regs, regs_buff);
> if(copy_to_user(addr, &regs, sizeof(regs)))
> return -EFAULT;
>
> addr += offsetof(struct ethtool_regs, data);
> Error --->
> if(copy_to_user(addr, regs_buff, regs.len))
> return -EFAULT;
>
> return 0;

Looks like a bug. Possible patch below zeros the buffer (since it's not
filled completely by e1000_ethtool_gregs()), and truncates len.