lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 27 Jan 2022 15:57:39 +0000
From:   "Michael Kelley (LINUX)" <mikelley@...rosoft.com>
To:     "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        KY Srinivasan <kys@...rosoft.com>,
        Haiyang Zhang <haiyangz@...rosoft.com>,
        Stephen Hemminger <sthemmin@...rosoft.com>,
        Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>
CC:     "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
        "linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>
Subject: RE: [PATCH][next] scsi: storvsc: Use struct_size() helper in
 storvsc_queuecommand()

From: Gustavo A. R. Silva <gustavoars@...nel.org> Sent: Tuesday, January 25, 2022 11:42 AM
> 
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows that,
> in the worst scenario, could lead to heap overflows.
> 
> Also, address the following sparse warnings:
> drivers/scsi/storvsc_drv.c:1843:39: warning: using sizeof on a flexible structure
> 
> Link: https://github.com/KSPP/linux/issues/174
> Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> ---
>  drivers/scsi/storvsc_drv.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
> index 9a0bba5a51a7..89c20dfc6609 100644
> --- a/drivers/scsi/storvsc_drv.c
> +++ b/drivers/scsi/storvsc_drv.c
> @@ -1755,7 +1755,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host,
> struct scsi_cmnd *scmnd)
>  	struct scatterlist *sgl;
>  	struct vmscsi_request *vm_srb;
>  	struct vmbus_packet_mpb_array  *payload;
> -	u32 payload_sz;
> +	size_t payload_sz;

Does changing this variable to type size_t accomplish anything?  It will
be stored into cmd_request->payload_sz, which is still a u32.  The code
in storvsc_do_io() and storvsc_command_completion() will process it
as a 32 bit value.

>  	u32 length;
> 
>  	if (vmstor_proto_version <= VMSTOR_PROTO_VERSION_WIN8) {
> @@ -1839,8 +1839,8 @@ static int storvsc_queuecommand(struct Scsi_Host *host,
> struct scsi_cmnd *scmnd)
> 
>  		if (hvpg_count > MAX_PAGE_BUFFER_COUNT) {
> 
> -			payload_sz = (hvpg_count * sizeof(u64) +
> -				      sizeof(struct vmbus_packet_mpb_array));
> +			payload_sz = struct_size(payload, range.pfn_array,
> +						 hvpg_count);
>  			payload = kzalloc(payload_sz, GFP_ATOMIC);
>  			if (!payload)
>  				return SCSI_MLQUEUE_DEVICE_BUSY;
> --
> 2.27.0

Overall this is an incremental improvement.  But the code is
still implicitly dependent on  scsi_bufflen() returning a 32-bit
value into the local variable "length", and hence hvpg_count
will always produce a payload_sz that fits in 32-bits.

I would be OK with taking this, minus the change to the type
of the local variable payload_sz.

Michael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ