| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Sep 2013 10:09:53 -0700 From: Dmitry Torokhov <dmitry.torokhov@...il.com> To: KY Srinivasan <kys@...rosoft.com> Cc: Dan Carpenter <dan.carpenter@...cle.com>, "olaf@...fle.de" <olaf@...fle.de>, "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>, "jasowang@...hat.com" <jasowang@...hat.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "vojtech@...e.cz" <vojtech@...e.cz>, "linux-input@...r.kernel.org" <linux-input@...r.kernel.org>, "apw@...onical.com" <apw@...onical.com>, "devel@...uxdriverproject.org" <devel@...uxdriverproject.org> Subject: Re: [PATCH 1/1] Drivers: input: serio: New driver to support Hyper-V synthetic keyboard On Mon, Sep 16, 2013 at 04:56:03PM +0000, KY Srinivasan wrote: > > > > -----Original Message----- > > From: Dan Carpenter [mailto:dan.carpenter@...cle.com] > > Sent: Monday, September 16, 2013 8:06 AM > > To: KY Srinivasan > > Cc: olaf@...fle.de; gregkh@...uxfoundation.org; jasowang@...hat.com; > > dmitry.torokhov@...il.com; linux-kernel@...r.kernel.org; vojtech@...e.cz; > > linux-input@...r.kernel.org; apw@...onical.com; devel@...uxdriverproject.org > > Subject: Re: [PATCH 1/1] Drivers: input: serio: New driver to support Hyper-V > > synthetic keyboard > > > > On Mon, Sep 16, 2013 at 02:46:24PM +0000, KY Srinivasan wrote: > > > > > + case VM_PKT_DATA_INBAND: > > > > > + hv_kbd_on_receive(device, desc); > > > > > > > > This is the error handling I mentioned at the top. hv_kbd_on_receive() > > > > doesn't take into consideration the amount of data we recieved, it > > > > trusts the offset we recieved from the user. There is an out of bounds > > > > read. > > > > > > What user are you referring to. The message is sent by the host - the user > > keystroke > > > is normalized into a fixed size packet by the host and sent to the guest. We will > > parse this > > > packet, based on the host specified layout here. > > > > > > > The user means the hypervisor, yes. > > > > I don't want the hypervisor accessing outside of the buffer. It is > > robustness issue. Just check the offset against "bytes_recvd". It's > > not complicated. > > At the outset, let me apologize for not understanding your concern. > You say: " I don't want the hypervisor accessing outside of the buffer" > Where did you see the hypervisor accessing anything outside the buffer? > The buffer is allocated by this driver and a packet from vmbus is read into this > buffer - this is the call to vmbus_recvpacket(). If the specified buffer is smaller > than the packet that needs to be read, then nothing will be read. Once the read > completes, we can be sure we have read a valid packet and can proceed to parse it in > this driver. The concern is that number of bytes received and contents of a packet are not in sync. Imagine if we were told that 16 butes was received but in the packet offset is 78. Then we'll try reading well past the buffer boundary that we allocated for the packets. Thanks. -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists