Bug 103264 - tg3 ioctl-bug
tg3 ioctl-bug
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-28 05:42 EDT by Ragnar Kjørstad
Modified: 2010-02-17 00:34 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-17 00:34:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ragnar Kjørstad 2003-08-28 05:42:57 EDT
Description of problem:

The tg3-driver has a bug in the ioctl-function (ETHTOOL_GLINK). A missing
return-statement causes data to be copied userspace incorrectly, possible
overwriting the stack of the userspace-program.


Version-Release number of selected component (if applicable):
kernel 2.4.9e24 and 2.4.9e25

How reproducible:
Use a modified version of the ethtool-program

Steps to Reproduce:
1. Download the source of ethtool
2. Modify do_gset-function, insert
   "long a=-1;" before, and "long b=-1" after, struct ethtool_value edata.
3. Modify the code to print the content of a and b right after the ioctl.
4. Run the program.

a and/or b (depending on architecture) will be overwritten by the ioctl.

In other userspace-programs the error will typically overwrite parts of the
stack causing the program to segfault or fail in another way.

The following patch fixes the problem:
--- linux-2.4.9-e.25/drivers/net/tg3.c.orig     Thu Aug 28 09:35:41 2003
+++ linux-2.4.9-e.25/drivers/net/tg3.c  Thu Aug 28 09:36:40 2003
@@ -5196,6 +5196,7 @@
                edata.data = netif_carrier_ok(tp->dev) ? 1 : 0;
                if (copy_to_user(useraddr, &edata, sizeof(edata)))
                        return -EFAULT;
+               return 0;
        }
        case ETHTOOL_GCOALESCE: {
                struct ethtool_coalesce ecoal = { ETHTOOL_GCOALESCE };


Will a new update-kernel, with this patch or a newer tg3-driver, ship for the
2.1 enterprise-series?
When?

Note You need to log in before you can comment on or make changes to this bug.