| From foo@baz Mon 27 Jan 2020 04:06:27 PM CET |
| From: Michael Ellerman <mpe@ellerman.id.au> |
| Date: Fri, 24 Jan 2020 20:41:44 +1100 |
| Subject: net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM |
| |
| From: Michael Ellerman <mpe@ellerman.id.au> |
| |
| [ Upstream commit 3546d8f1bbe992488ed91592cf6bf76e7114791a = |
| |
| The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet |
| adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in |
| cxgb_extension_ioctl(). |
| |
| One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears |
| to read memory directly out of the adapter and return it to userspace. |
| It's not entirely clear what the contents of the adapter memory |
| contains, but the assumption is that it shouldn't be accessible to all |
| users. |
| |
| So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after |
| the is_offload() check, which matches two of the other subcommands in |
| the same function which also check for is_offload() and CAP_NET_ADMIN. |
| |
| Found by Ilja by code inspection, not tested as I don't have the |
| required hardware. |
| |
| Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> |
| Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |
| +++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |
| @@ -2440,6 +2440,8 @@ static int cxgb_extension_ioctl(struct n |
| |
| if (!is_offload(adapter)) |
| return -EOPNOTSUPP; |
| + if (!capable(CAP_NET_ADMIN)) |
| + return -EPERM; |
| if (!(adapter->flags & FULL_INIT_DONE)) |
| return -EIO; /* need the memory controllers */ |
| if (copy_from_user(&t, useraddr, sizeof(t))) |