Description of problem:

The tg3-driver has a bug in the ioctl-function (ETHTOOL_GLINK). A missing
return-statement causes data to be copied userspace incorrectly, possible
overwriting the stack of the userspace-program.


Version-Release number of selected component (if applicable):
kernel 2.4.9e24 and 2.4.9e25

How reproducible:
Use a modified version of the ethtool-program

Steps to Reproduce:
1. Download the source of ethtool
2. Modify do_gset-function, insert
   "long a=-1;" before, and "long b=-1" after, struct ethtool_value edata.
3. Modify the code to print the content of a and b right after the ioctl.
4. Run the program.

a and/or b (depending on architecture) will be overwritten by the ioctl.

In other userspace-programs the error will typically overwrite parts of the
stack causing the program to segfault or fail in another way.

The following patch fixes the problem:
--- linux-2.4.9-e.25/drivers/net/tg3.c.orig     Thu Aug 28 09:35:41 2003
+++ linux-2.4.9-e.25/drivers/net/tg3.c  Thu Aug 28 09:36:40 2003
@@ -5196,6 +5196,7 @@
                edata.data = netif_carrier_ok(tp->dev) ? 1 : 0;
                if (copy_to_user(useraddr, &edata, sizeof(edata)))
                        return -EFAULT;
+               return 0;
        }
        case ETHTOOL_GCOALESCE: {
                struct ethtool_coalesce ecoal = { ETHTOOL_GCOALESCE };


Will a new update-kernel, with this patch or a newer tg3-driver, ship for the
2.1 enterprise-series?
When?