lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20170822111607.0397a16d@w520.home>
Date:   Tue, 22 Aug 2017 11:16:07 -0600
From:   Alex Williamson <alex.williamson@...hat.com>
To:     Paolo Bonzini <pbonzini@...hat.com>
Cc:     nixiaoming <nixiaoming@...wei.com>, kvm@...r.kernel.org,
        linux-api@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] virt/lib avoids oops by adding parameter checking

On Tue, 22 Aug 2017 15:39:04 +0200
Paolo Bonzini <pbonzini@...hat.com> wrote:

> On 22/08/2017 03:07, nixiaoming wrote:
> > The error parameter passed through the external interface
> > causes the system oops. So it is necessary to increase the
> > parameter check for all EXPORT_SYMBOL_GPL
> > 
> > example:
> >  int irq_bypass_register_producer(struct irq_bypass_producer *producer)
> >  {
> >  	if (!producer->token) /* oops if producer == null */
> >  		return -einval;
> >  }
> >  EXPORT_SYMBOL_GPL(irq_bypass_register_producer);  
> 
> This is used like this:
> 
> drivers/vfio/pci/vfio_pci_intrs.c:		irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
> drivers/vfio/pci/vfio_pci_intrs.c:	ret = irq_bypass_register_producer(&vdev->ctx[vector].producer);
> virt/kvm/eventfd.c:	irq_bypass_unregister_consumer(&irqfd->consumer);
> virt/kvm/eventfd.c:		ret = irq_bypass_register_consumer(&irqfd->consumer);
> 
> So your check won't actually catch irqfd or vdev being NULL.

Additionally, I don't know of a reference to how extensively we should
harden these sorts of interfaces to misuse.  Just because a symbol is
exported doesn't necessarily mean that the function needs to be
hardened against misuse as we might for an interface exposed to a
user.  It's called by kernel mode code which can already do anything
it pleases to cause an oops.  If such hardening makes the calling
conventions or code flow easier, or results in a function that's easier
to use correctly or harder to misuse, then I think it's justified.  None
of that has been proven here and certainly doesn't seem to be the case
based on the current in-tree users.  Can the patch submitter justify
that this is "necessary" as claimed in the commit log?  Thanks,

Alex

> > Signed-off-by: nixiaoming <nixiaoming@...wei.com>
> > ---
> >  virt/lib/irqbypass.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/virt/lib/irqbypass.c b/virt/lib/irqbypass.c
> > index 6d2fcd6..2bb99e8 100644
> > --- a/virt/lib/irqbypass.c
> > +++ b/virt/lib/irqbypass.c
> > @@ -89,7 +89,7 @@ int irq_bypass_register_producer(struct irq_bypass_producer *producer)
> >  	struct irq_bypass_producer *tmp;
> >  	struct irq_bypass_consumer *consumer;
> >  
> > -	if (!producer->token)
> > +	if (!producer || !producer->token)
> >  		return -EINVAL;
> >  
> >  	might_sleep();
> > @@ -139,7 +139,7 @@ void irq_bypass_unregister_producer(struct irq_bypass_producer *producer)
> >  	struct irq_bypass_producer *tmp;
> >  	struct irq_bypass_consumer *consumer;
> >  
> > -	if (!producer->token)
> > +	if (!producer || !producer->token)
> >  		return;
> >  
> >  	might_sleep();
> > @@ -183,7 +183,7 @@ int irq_bypass_register_consumer(struct irq_bypass_consumer *consumer)
> >  	struct irq_bypass_consumer *tmp;
> >  	struct irq_bypass_producer *producer;
> >  
> > -	if (!consumer->token ||
> > +	if (!consumer || !consumer->token ||
> >  	    !consumer->add_producer || !consumer->del_producer)
> >  		return -EINVAL;
> >  
> > @@ -234,7 +234,7 @@ void irq_bypass_unregister_consumer(struct irq_bypass_consumer *consumer)
> >  	struct irq_bypass_consumer *tmp;
> >  	struct irq_bypass_producer *producer;
> >  
> > -	if (!consumer->token)
> > +	if (!consumer || !consumer->token)
> >  		return;
> >  
> >  	might_sleep();
> >   
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ