[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20141107181904.GA11874@kroah.com>
Date: Fri, 7 Nov 2014 10:19:04 -0800
From: Greg KH <gregkh@...uxfoundation.org>
To: Matej Mužila <mmuzila@...hat.com>
Cc: devel@...uxdriverproject.org, linux-kernel@...r.kernel.org,
kys@...rosoft.com,
One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
dan.carpenter@...cle.com
Subject: Re: [PATCH v2 1/3] tools: hv: fcopy_daemon: Check buffer limits
On Tue, Oct 21, 2014 at 04:46:58PM +0200, Matej Mužila wrote:
> From: Matej Mužila <mmuzila@...hat.com>
>
> Check if cpmsg->size is in limits of DATA_FRAGMENT
>
> Signed-off-by: Matej Mužila <mmuzila@...hat.com>
> ---
>
> If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
> read from memory outside of the buffer (defined at line 138).
> Added check.
>
> Changes made since v1:
> * max value of cmesg->size is now derived from structure
> definition in sources/include/uapi/linux/hyperv.h
> * Fixed comments
>
>
> diff --git a/tools/hv/hv_fcopy_daemon.c b/tools/hv/hv_fcopy_daemon.c
> index 6f27e2f..1fc2dc2 100644
> --- a/tools/hv/hv_fcopy_daemon.c
> +++ b/tools/hv/hv_fcopy_daemon.c
> @@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg)
> {
> ssize_t bytes_written;
>
> + /* Check if the cpmsg->size is in limits of DATA_FRAGMENT */
> + if (cpmsg->size > sizeof(cpmsg->data))
> + return HV_E_FAIL;
> +
> bytes_written = pwrite(target_fd, cpmsg->data, cpmsg->size,
> cpmsg->offset);
>
ALWAYS run your patches through checkpatch before sending them, so you
don't get grumpy emails from maintainers telling you to do the same
thing...
Please fix this up and resend the whole series.
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists