tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: clear heap allocations for privileged ethtool actions

Several other ethtool functions leave heap uncleared (potentially) by
drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
are well controlled. In some situations (e.g. unchecked error conditions),
the heap will remain unchanged in areas before copying back to userspace.
Note that these are less of an issue since these all require CAP_NET_ADMIN.

Cc: stable@kernel.org
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Kees Cook and committed by David S. Miller b00916b1 0aa7dead

+3 -3
unified split
+3 -3
net/core/ethtool.c
··· 397 (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index)) 398 return -ENOMEM; 399 full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size; 400 - indir = kmalloc(full_size, GFP_USER); 401 if (!indir) 402 return -ENOMEM; 403 ··· 538 539 gstrings.len = ret; 540 541 - data = kmalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER); 542 if (!data) 543 return -ENOMEM; 544 ··· 775 if (regs.len > reglen) 776 regs.len = reglen; 777 778 - regbuf = kmalloc(reglen, GFP_USER); 779 if (!regbuf) 780 return -ENOMEM; 781
··· 397 (KMALLOC_MAX_SIZE - sizeof(*indir)) / sizeof(*indir->ring_index)) 398 return -ENOMEM; 399 full_size = sizeof(*indir) + sizeof(*indir->ring_index) * table_size; 400 + indir = kzalloc(full_size, GFP_USER); 401 if (!indir) 402 return -ENOMEM; 403 ··· 538 539 gstrings.len = ret; 540 541 + data = kzalloc(gstrings.len * ETH_GSTRING_LEN, GFP_USER); 542 if (!data) 543 return -ENOMEM; 544 ··· 775 if (regs.len > reglen) 776 regs.len = reglen; 777 778 + regbuf = kzalloc(reglen, GFP_USER); 779 if (!regbuf) 780 return -ENOMEM; 781