| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAK8P3a3Lj_cEc40vAe9LiX3RwvvKVvCxxYsMPxxHn0BcenQt7Q@mail.gmail.com>
Date: Mon, 5 Feb 2018 16:47:18 +0100
From: Arnd Bergmann <arnd@...db.de>
To: Jan Beulich <JBeulich@...e.com>
Cc: David Laight <David.Laight@...lab.com>,
xen-devel <xen-devel@...ts.xenproject.org>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
Juergen Gross <jgross@...e.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
On Mon, Feb 5, 2018 at 4:14 PM, Jan Beulich <JBeulich@...e.com> wrote:
>>>> On 05.02.18 at 16:03, <arnd@...db.de> wrote:
>> int xen_event_channel_op_compat(int cmd, void *arg)
>> {
>> - struct evtchn_op op;
>> + struct evtchn_op op = { .cmd = cmd, };
>> + size_t len;
>> int rc;
>>
>> - op.cmd = cmd;
>> - memcpy(&op.u, arg, sizeof(op.u));
>> - rc = _hypercall1(int, event_channel_op_compat, &op);
>> -
>> - switch (cmd) {
>> - case EVTCHNOP_close:
>> - case EVTCHNOP_send:
>> - case EVTCHNOP_bind_vcpu:
>> - case EVTCHNOP_unmask:
>> - /* no output */
>> - break;
>> + if (cmd > ARRAY_SIZE(evtchnop_len))
>> + return -ENOSYS;
>
>>= perhaps?
Argh, of course. This is why I preferred the switch/case version, I knew
I'd screw this up somehow ;-)
Arnd
Powered by blists - more mailing lists