8139too link beat status and possible security hole through MII ioctls()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

In contrast to some other Linux network drivers (notably eepro100)
your 8139too 0.9.26 doesn't allow access to the link beat status when
the interface is down, i.e. SIOCETHTOOL, SIOCGMIIPHY, SIOCGMIIREG,
SIOCDEVPRIVATE and SIOCDEVPRIVATE+1 fail. This seems to me not to be
optimal, since some programs like automatic plug-in detection daemons
(such as ifd, netplugd or my own ifplugd) rely on being able to query
the link status when the interface is down. I removed the two lines
that prevent that access from my version of the driver and still have
a perfectly working system. If there are no good reasons for not
removing these lines I suggest doing this in your upstream driver, as
well. I attached a trivial patch doing just that.

Another related issue: Currently access to the link beat status via
SIOETHTOOL and SIOCGMII* is not allowed for normal users. However it
might be desirable to change this for being able to develop some
applets which show the link status on your desktop's status bar. There
is even a certain inconsistency and security issue: the older
SIOGDEVPRIVATE ioctls (including those for modifying MII registers)
work for normal users, since the security checks in net/core/dev.c
only work for SIOCETHTOOL and SIOCGMII*, not for SIODEVPRIVATE; they
are passed untested to the specific driver, which doesn't check for
security any further. (at least 8139too doesn't do so)

I'd suggest loosening access rights for querying the link beat status
while aggravating the access rights for writing MII register
access. Shall I prepare a patch doing both for for 8139too?

KUTGW,
 Lennart

PS: the url of my specific plugging daemon is
http://www.stud.uni-hamburg.de/users/lennart/projects/ifplugd/

-- 
name { Lennart Poettering } mail { XXXXXXXXXXXXXXXXXXXXX }
icq { 11060553 } www { http://www.poettering.de/lennart/ }
loc { hamburg, germany } pgp { 0x1A015CC4 } hack { .phi. }

--- 8139too.c.dist	Thu Oct 31 23:45:04 2002
+++ 8139too.c	Thu Oct 31 23:45:46 2002
@@ -2449,8 +2449,8 @@
 	int rc = 0;
 	int phy = tp->phys[0] & 0x3f;
 
-	if (!netif_running(dev))
-		return -EINVAL;
+//	if (!netif_running(dev))
+//		return -EINVAL;
 
 	if (cmd != SIOCETHTOOL) {
 		/* With SIOCETHTOOL, this would corrupt the pointer.  */

Attachment: pgp00041.pgp
Description: PGP signature

[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux