tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: clear heap allocations for privileged ethtool actions

Several other ethtool functions leave heap uncleared (potentially) by
drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
are well controlled. In some situations (e.g. unchecked error conditions),
the heap will remain unchanged in areas before copying back to userspace.
Note that these are less of an issue since these all require CAP_NET_ADMIN.

Cc: stable@kernel.org
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Kees Cook and committed by David S. Miller b00916b1 0aa7dead

+3 -3
unified split
+3 -3
net/core/ethtool.c
··· 397 397 (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index)) 398 398 return -ENOMEM; 399 399 full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size; 400 - indir = kmalloc(full_size, GFP_USER); 400 + indir = kzalloc(full_size, GFP_USER); 401 401 if (!indir) 402 402 return -ENOMEM; 403 403 ··· 538 538 539 539 gstrings.len = ret; 540 540 541 - data = kmalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER); 541 + data = kzalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER); 542 542 if (!data) 543 543 return -ENOMEM; 544 544 ··· 775 775 if (regs.len > reglen) 776 776 regs.len = reglen; 777 777 778 - regbuf = kmalloc(reglen, GFP_USER); 778 + regbuf = kzalloc(reglen, GFP_USER); 779 779 if (!regbuf) 780 780 return -ENOMEM; 781 781