Bug 103264 - tg3 ioctl-bug
Summary: tg3 ioctl-bug
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel (Show other bugs)
(Show other bugs)
Version: 2.1
Hardware: All Linux
Target Milestone: ---
Assignee: David Miller
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2003-08-28 09:42 UTC by Ragnar Kjørstad
Modified: 2010-02-17 05:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-02-17 05:34:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Ragnar Kjørstad 2003-08-28 09:42:57 UTC
Description of problem:

The tg3-driver has a bug in the ioctl-function (ETHTOOL_GLINK). A missing
return-statement causes data to be copied userspace incorrectly, possible
overwriting the stack of the userspace-program.

Version-Release number of selected component (if applicable):
kernel 2.4.9e24 and 2.4.9e25

How reproducible:
Use a modified version of the ethtool-program

Steps to Reproduce:
1. Download the source of ethtool
2. Modify do_gset-function, insert
   "long a=-1;" before, and "long b=-1" after, struct ethtool_value edata.
3. Modify the code to print the content of a and b right after the ioctl.
4. Run the program.

a and/or b (depending on architecture) will be overwritten by the ioctl.

In other userspace-programs the error will typically overwrite parts of the
stack causing the program to segfault or fail in another way.

The following patch fixes the problem:
--- linux-2.4.9-e.25/drivers/net/tg3.c.orig     Thu Aug 28 09:35:41 2003
+++ linux-2.4.9-e.25/drivers/net/tg3.c  Thu Aug 28 09:36:40 2003
@@ -5196,6 +5196,7 @@
                edata.data = netif_carrier_ok(tp->dev) ? 1 : 0;
                if (copy_to_user(useraddr, &edata, sizeof(edata)))
                        return -EFAULT;
+               return 0;
        case ETHTOOL_GCOALESCE: {
                struct ethtool_coalesce ecoal = { ETHTOOL_GCOALESCE };

Will a new update-kernel, with this patch or a newer tg3-driver, ship for the
2.1 enterprise-series?

Note You need to log in before you can comment on or make changes to this bug.