diff options
author | Michal Schmidt <mschmidt@redhat.com> | 2013-07-01 17:23:30 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-07-02 00:15:56 -0700 |
commit | c590b5e2f05b5e98e614382582b7ae4cddb37599 (patch) | |
tree | ee104276146080fdf350eeb7a5f6d9586c2e209c /net | |
parent | 8cc2d927c26a677415a9d0d23b9a043107f948c3 (diff) | |
download | blackbird-op-linux-c590b5e2f05b5e98e614382582b7ae4cddb37599.tar.gz blackbird-op-linux-c590b5e2f05b5e98e614382582b7ae4cddb37599.zip |
ethtool: make .get_dump_data() harder to misuse by drivers
As the patch "bnx2x: remove zeroing of dump data buffer" showed,
it is too easy implement .get_dump_data incorrectly in a driver.
Let's make sure drivers cannot get confused by userspace requesting
a too big dump.
Also WARN if the driver sets dump->len to something weird and make
sure the length reported to userspace is the actual length of data
copied to userspace.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/core/ethtool.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/net/core/ethtool.c b/net/core/ethtool.c index 9255bbdf81ff..ab5fa6336c84 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -1320,10 +1320,19 @@ static int ethtool_get_dump_data(struct net_device *dev, if (ret) return ret; - len = (tmp.len > dump.len) ? dump.len : tmp.len; + len = min(tmp.len, dump.len); if (!len) return -EFAULT; + /* Don't ever let the driver think there's more space available + * than it requested with .get_dump_flag(). + */ + dump.len = len; + + /* Always allocate enough space to hold the whole thing so that the + * driver does not need to check the length and bother with partial + * dumping. + */ data = vzalloc(tmp.len); if (!data) return -ENOMEM; @@ -1331,6 +1340,16 @@ static int ethtool_get_dump_data(struct net_device *dev, if (ret) goto out; + /* There are two sane possibilities: + * 1. The driver's .get_dump_data() does not touch dump.len. + * 2. Or it may set dump.len to how much it really writes, which + * should be tmp.len (or len if it can do a partial dump). + * In any case respond to userspace with the actual length of data + * it's receiving. + */ + WARN_ON(dump.len != len && dump.len != tmp.len); + dump.len = len; + if (copy_to_user(useraddr, &dump, sizeof(dump))) { ret = -EFAULT; goto out; |