From patchwork Thu Oct 7 20:03:48 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 67103 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 7EFFDB7183 for ; Fri, 8 Oct 2010 07:12:40 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755246Ab0JGUMg (ORCPT ); Thu, 7 Oct 2010 16:12:36 -0400 Received: from smtp.outflux.net ([198.145.64.163]:45875 "EHLO smtp.outflux.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754900Ab0JGUMg (ORCPT ); Thu, 7 Oct 2010 16:12:36 -0400 X-Greylist: delayed 509 seconds by postgrey-1.27 at vger.kernel.org; Thu, 07 Oct 2010 16:12:36 EDT Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) by vinyl.outflux.net (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id o97K3nmO022222; Thu, 7 Oct 2010 13:03:49 -0700 Date: Thu, 7 Oct 2010 13:03:48 -0700 From: Kees Cook To: linux-kernel@vger.kernel.org Cc: "David S. Miller" , Ben Hutchings , Jeff Garzik , Jeff Kirsher , Peter P Waskiewicz Jr , netdev@vger.kernel.org Subject: [PATCH] net: clear heap allocation for ETHTOOL_GRXCLSRLALL Message-ID: <20101007200348.GA6038@outflux.net> MIME-Version: 1.0 Content-Disposition: inline Organization: Canonical X-MIMEDefang-Filter: outflux$Revision: 1.316 $ X-HELO: www.outflux.net X-Scanned-By: MIMEDefang 2.67 on 10.2.0.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel heap without clearing it. For the one driver (niu) that implements it, it will leave the unused portion of heap unchanged and copy the full contents back to userspace. Cc: stable@kernel.org Signed-off-by: Kees Cook Acked-by: Ben Hutchings --- net/core/ethtool.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index 7a85367..4016ac6 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -348,7 +348,7 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, if (info.cmd == ETHTOOL_GRXCLSRLALL) { if (info.rule_cnt > 0) { if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) - rule_buf = kmalloc(info.rule_cnt * sizeof(u32), + rule_buf = kzalloc(info.rule_cnt * sizeof(u32), GFP_USER); if (!rule_buf) return -ENOMEM;