| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Feb 2018 13:59:55 -0600
From: Brijesh Singh <brijesh.singh@....com>
To: Al Viro <viro@...IV.linux.org.uk>
Cc: brijesh.singh@....com, kvm@...r.kernel.org,
Paolo Bonzini <pbonzini@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>,
Borislav Petkov <bp@...e.de>,
Tom Lendacky <thomas.lendacky@....com>,
linux-kernel@...r.kernel.org, Joerg Roedel <joro@...tes.org>
Subject: Re: [PATCH] KVM: SVM: Fix sparse: incorrect type in argument 1
(different base types)
On 2/21/18 11:49 AM, Al Viro wrote:
> On Mon, Feb 19, 2018 at 10:12:28AM -0600, Brijesh Singh wrote:
>> Fix sparse: incorrect type in argument 1 (different base types). Typecast
>> the userspace address argument.
> Better question: why the hell do we want that access_ok(), anyway? The only
> thing we do to params.uaddr is
> if (blob) {
> if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
> ret = -EFAULT;
> }
>
> downstream. What does that access_ok() buy us? It does not guarantee that
> copy_to_user() won't fail.
Sure, checking access_ok() does not guarantee that later
copy_from_user() will not fail. But it does eliminate one possible
reason for the failure. We are trying to validate most of the user
inputs before we invoke SEV command. The SEV command handler does heavy
lifting (which includes setting up PSP mailbox, issuing FW command,
and handling the response etc). I would like to avoid invoking SEV
command when we know for sure that copy_to_user() will fail later.
> It does not clamp params.len (we'd just done
> that explicitly). So why not somethings like this:
>
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> index b3e488a74828..ba2c1a606985 100644
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -6239,13 +6239,15 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
> struct kvm_sev_info *sev = &kvm->arch.sev_info;
> struct sev_data_launch_measure *data;
> struct kvm_sev_launch_measure params;
> + void __user *measure = (void __user *)(uintptr_t)argp->data;
> + void __user *p = NULL;
> void *blob = NULL;
> int ret;
>
> if (!sev_guest(kvm))
> return -ENOTTY;
>
> - if (copy_from_user(¶ms, (void __user *)(uintptr_t)argp->data, sizeof(params)))
> + if (copy_from_user(¶ms, measure, sizeof(params)))
> return -EFAULT;
>
> data = kzalloc(sizeof(*data), GFP_KERNEL);
> @@ -6256,17 +6258,13 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
> if (!params.len)
> goto cmd;
>
> - if (params.uaddr) {
> + p = (void __user *)(uintptr_t)params.uaddr;
> + if (p) {
> if (params.len > SEV_FW_BLOB_MAX_SIZE) {
> ret = -EINVAL;
> goto e_free;
> }
>
> - if (!access_ok(VERIFY_WRITE, params.uaddr, params.len)) {
> - ret = -EFAULT;
> - goto e_free;
> - }
> -
> ret = -ENOMEM;
> blob = kmalloc(params.len, GFP_KERNEL);
> if (!blob)
> @@ -6290,13 +6288,13 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
> goto e_free_blob;
>
> if (blob) {
> - if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
> + if (copy_to_user(p, blob, params.len))
> ret = -EFAULT;
> }
>
> done:
> params.len = data->len;
> - if (copy_to_user((void __user *)(uintptr_t)argp->data, ¶ms, sizeof(params)))
> + if (copy_to_user(measure, ¶ms, sizeof(params)))
> ret = -EFAULT;
> e_free_blob:
> kfree(blob);
Powered by blists - more mailing lists