lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 30 Oct 2017 14:40:10 -0700
From:   Stefano Stabellini <sstabellini@...nel.org>
To:     boris.ostrovsky@...cle.com
Cc:     sstabellini@...nel.org, xen-devel@...ts.xen.org,
        linux-kernel@...r.kernel.org, jgross@...e.com, stefano@...reto.com
Subject: [PATCH 1/2] pvcalls: check return value from copy_from/to_iter

Check the return value of copy_from_iter in __write_ring and
copy_to_iter in __read_ring. Update "len" accordingly.

In the cases where we issue two consecutive copy_from_iter, or two
consecutive copy_to_iter, first check return, then goto out if it is not
what we expect.

Signed-off-by: Stefano Stabellini <sstabellini@...nel.org>
---
 drivers/xen/pvcalls-front.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/drivers/xen/pvcalls-front.c b/drivers/xen/pvcalls-front.c
index 8e7426083..f2dcac88 100644
--- a/drivers/xen/pvcalls-front.c
+++ b/drivers/xen/pvcalls-front.c
@@ -456,18 +456,21 @@ static int __write_ring(struct pvcalls_data_intf *intf,
 	masked_cons = pvcalls_mask(cons, array_size);
 
 	if (masked_prod < masked_cons) {
-		copy_from_iter(data->out + masked_prod, len, msg_iter);
+		len = copy_from_iter(data->out + masked_prod, len, msg_iter);
 	} else {
 		if (len > array_size - masked_prod) {
-			copy_from_iter(data->out + masked_prod,
+			int ret = copy_from_iter(data->out + masked_prod,
 				       array_size - masked_prod, msg_iter);
-			copy_from_iter(data->out,
-				       len - (array_size - masked_prod),
-				       msg_iter);
+			if (ret != array_size - masked_prod) {
+				len = ret;
+				goto out;
+			}
+			len = ret + copy_from_iter(data->out, len - ret, msg_iter);
 		} else {
-			copy_from_iter(data->out + masked_prod, len, msg_iter);
+			len = copy_from_iter(data->out + masked_prod, len, msg_iter);
 		}
 	}
+out:
 	/* write to ring before updating pointer */
 	virt_wmb();
 	intf->out_prod += len;
@@ -557,18 +560,21 @@ static int __read_ring(struct pvcalls_data_intf *intf,
 		len = size;
 
 	if (masked_prod > masked_cons) {
-		copy_to_iter(data->in + masked_cons, len, msg_iter);
+		len = copy_to_iter(data->in + masked_cons, len, msg_iter);
 	} else {
 		if (len > (array_size - masked_cons)) {
-			copy_to_iter(data->in + masked_cons,
+			int ret = copy_to_iter(data->in + masked_cons,
 				     array_size - masked_cons, msg_iter);
-			copy_to_iter(data->in,
-				     len - (array_size - masked_cons),
-				     msg_iter);
+			if (ret != array_size - masked_cons) {
+				len = ret;
+				goto out;
+			}
+			len = ret + copy_to_iter(data->in, len - ret, msg_iter);
 		} else {
-			copy_to_iter(data->in + masked_cons, len, msg_iter);
+			len = copy_to_iter(data->in + masked_cons, len, msg_iter);
 		}
 	}
+out:
 	/* read data from the ring before increasing the index */
 	virt_mb();
 	if (!(flags & MSG_PEEK))
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ