Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 2.1 product line. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 103264

Summary: tg3 ioctl-bug
Product: Red Hat Enterprise Linux 2.1 Reporter: Ragnar Kjørstad <bugzilla>
Component: kernelAssignee: David Miller <davem>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: jgarzik, riel
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-17 05:34:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ragnar Kjørstad 2003-08-28 09:42:57 UTC 
Description of problem:

The tg3-driver has a bug in the ioctl-function (ETHTOOL_GLINK). A missing
return-statement causes data to be copied userspace incorrectly, possible
overwriting the stack of the userspace-program.


Version-Release number of selected component (if applicable):
kernel 2.4.9e24 and 2.4.9e25

How reproducible:
Use a modified version of the ethtool-program

Steps to Reproduce:
1. Download the source of ethtool
2. Modify do_gset-function, insert
   "long a=-1;" before, and "long b=-1" after, struct ethtool_value edata.
3. Modify the code to print the content of a and b right after the ioctl.
4. Run the program.

a and/or b (depending on architecture) will be overwritten by the ioctl.

In other userspace-programs the error will typically overwrite parts of the
stack causing the program to segfault or fail in another way.

The following patch fixes the problem:
--- linux-2.4.9-e.25/drivers/net/tg3.c.orig     Thu Aug 28 09:35:41 2003
+++ linux-2.4.9-e.25/drivers/net/tg3.c  Thu Aug 28 09:36:40 2003
@@ -5196,6 +5196,7 @@
                edata.data = netif_carrier_ok(tp->dev) ? 1 : 0;
                if (copy_to_user(useraddr, &edata, sizeof(edata)))
                        return -EFAULT;
+               return 0;
        }
        case ETHTOOL_GCOALESCE: {
                struct ethtool_coalesce ecoal = { ETHTOOL_GCOALESCE };


Will a new update-kernel, with this patch or a newer tg3-driver, ship for the
2.1 enterprise-series?
When?