On Thu, May 30, 2019 at 08:48:48AM +0200, Michal Kubecek wrote: > On Wed, May 29, 2019 at 10:17:44PM -0700, David Miller wrote: > > From: Vivien Didelot <[email protected]> > > Date: Tue, 28 May 2019 16:58:48 -0400 > > > > > ethtool_get_regs() allocates a buffer of size reglen obtained from > > > ops->get_regs_len(), thus only this value must be used when copying > > > the buffer back to userspace. Also no need to check regbuf twice. > > > > > > Signed-off-by: Vivien Didelot <[email protected]> > > > > Hmmm, can't regs.len be modified by the driver potentially? > > The driver certainly shouldn't raise it as that could result in kernel > writing past the buffer provided by userspace. (I'll check some drivers > to see if they truncate the dump or return an error if regs.len from > userspace is insufficient.) And lowering it would be also wrong as that > would mean dump would be shorter than what ops->get_regs_len() returned.
I looked around a bit. First of all, the driver cannot actually return error as ethtool_ops::get_regs() returns void. Most drivers do not touch regs->len and only fill data and possibly regs->version which is fine. There are few drivers which modify regs->len: s2io_ethtool_gdrvinfo() neterion/s2io vxge_ethtool_gregs() neterion/vxge ixgb_get_regs() intel/ixgb emac_get_regs_len() qualcomm/emac ql_get_regs() qlogic/qlge axienet_ethtools_get_regs() xilinx/axienet All of these set regs->len to the same value as ->get_regs_len() returns (ixgb does it in rather fragile way). This means that if userspace passes insufficient buffer size, current code would write pass that buffer; but proposed patch would make things worse as with it, kernel would always write past the userspace buffer in such case. Note: ieee80211_get_regs() in net/mac80211/ethtool.c also sets regs->len but it always sets it to 0 which is also what ->get_regs_len() returns so that it does not actually modify the value. I believe this should be handled by ethtool_get_regs(), either by returning an error or by only copying data up to original regs.len passed by userspace. The former seems more correct but broken userspace software would suddenly start to fail where it "used to work". The latter would be closer to current behaviour but it would mean that broken userspace software might nerver notice there is something wrong. Michal Kubecek
