lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 16 Feb 2024 13:05:35 +0530
From: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To: kovalev@...linux.org, keescook@...omium.org
Cc: arnd@...db.de, bryantan@...are.com, darren.kenny@...cle.com,
        error27@...il.com, gregkh@...uxfoundation.org, gustavoars@...nel.org,
        linux-hardening@...r.kernel.org, linux-kernel@...r.kernel.org,
        pv-drivers@...are.com, syzkaller@...glegroups.com, vdasa@...are.com,
        vegard.nossum@...cle.com, nickel@...linux.org, oficerovas@...linux.org,
        dutyrok@...linux.org
Subject: Re: [PATCH v2 2/2] VMCI: Fix memcpy() run-time warning in
 dg_dispatch_as_host()

Hi Kovalev,

On 11/01/24 6:23 pm, kovalev@...linux.org wrote:
> Hello, I was also working on solving this problem
> https://lore.kernel.org/lkml/20240110104042.31865-1-kovalev@altlinux.org/T/#t.
> 
> Please note that there are 2 such places in the code, and by analogy with your
> version of the changes, including changes in the approach to calculating the
> size of the allocated memory, additional changes on top of your changes will
> be as follows:
> 
> diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c
> index ba379cd6d054bd..1a50fcea681bf8 100644
> --- a/drivers/misc/vmw_vmci/vmci_datagram.c
> +++ b/drivers/misc/vmw_vmci/vmci_datagram.c
> @@ -369,8 +369,9 @@ int vmci_datagram_invoke_guest_handler(struct vmci_datagram *dg)
>          if (dst_entry->run_delayed) {
>                  struct delayed_datagram_info *dg_info;
>   
> -               dg_info = kmalloc(sizeof(*dg_info) + (size_t)dg->payload_size,
> +               dg_info = kmalloc(struct_size(dg_info, msg_payload, dg->payload_size),
>                                    GFP_ATOMIC);
> +
>                  if (!dg_info) {
>                          vmci_resource_put(resource);
>                          return VMCI_ERROR_NO_MEM;
> @@ -378,7 +379,9 @@ int vmci_datagram_invoke_guest_handler(struct vmci_datagram *dg)
>   
>                  dg_info->in_dg_host_queue = false;
>                  dg_info->entry = dst_entry;
> -               memcpy(&dg_info->msg, dg, VMCI_DG_SIZE(dg));
> +               dg_info->msg = *dg;
> +               memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size);
> +
>   
>                  INIT_WORK(&dg_info->work, dg_delayed_dispatch);
>                  schedule_work(&dg_info->work);
I think you need to send a separate patch/patches for this.

[linux-next]$ git describe
next-20240216
[linux-next]$ git log --oneline drivers/misc/vmw_vmci/vmci_datagram.c
19b070fefd0d VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
e03d4910e6e4 VMCI: Use struct_size() in kmalloc()

I see that the two patches I sent are applied by Kees and are in linux-next.

I am thinking if we can reproduce the above WARNING in 
vmci_datagram_invoke_guest_handler() by modifying the C reproducer 
generated by Syzkaller for dg_dispatch_as_host()

Thanks,
Harshit

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ