From patchwork Sun May 17 17:20:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Hutchings X-Patchwork-Id: 219085 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66337C433DF for ; Sun, 17 May 2020 17:20:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3F226205CB for ; Sun, 17 May 2020 17:20:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726254AbgEQRU6 (ORCPT ); Sun, 17 May 2020 13:20:58 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:43432 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726242AbgEQRU6 (ORCPT ); Sun, 17 May 2020 13:20:58 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jaMy6-0006Mt-AM; Sun, 17 May 2020 18:20:54 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jaMy5-0035KG-TB; Sun, 17 May 2020 18:20:53 +0100 Date: Sun, 17 May 2020 18:20:53 +0100 From: Ben Hutchings To: Tariq Toukan Cc: 960702@bugs.debian.org, netdev@vger.kernel.org Subject: [PATCH net] mlx4: Fix information leak on failure to read module EEPROM Message-ID: <20200517172053.GA734488@decadent.org.uk> MIME-Version: 1.0 Content-Disposition: inline X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org mlx4_en_get_module_eeprom() returns 0 even if it fails. This results in copying an uninitialised (or partly initialised) buffer back to user-space. Change it so that: * In the special case that the DOM turns out not to be readable, the remaining part of the buffer is cleared. This should avoid a regression when reading modules with this problem. * In other error cases, the error code is propagated. Reported-by: Yannis Aribaud References: https://bugs.debian.org/960702 Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/...") Signed-off-by: Ben Hutchings --- This is compile-tested only. It should go to stable, if it is a correct fix. Ben. drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c index 8a5ea2543670..6edc3177af1c 100644 --- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c @@ -2078,14 +2078,17 @@ static int mlx4_en_get_module_eeprom(struct net_device *dev, ret = mlx4_get_module_info(mdev->dev, priv->port, offset, ee->len - i, data + i); - if (!ret) /* Done reading */ + if (!ret) { + /* DOM was not readable after all */ + memset(data + i, 0, ee->len - i); return 0; + } if (ret < 0) { en_err(priv, "mlx4_get_module_info i(%d) offset(%d) bytes_to_read(%d) - FAILED (0x%x)\n", i, offset, ee->len - i, ret); - return 0; + return ret; } i += ret;