lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f55f25f6-559d-bb93-5605-af66678438c2@amd.com>
Date:   Wed, 21 Feb 2018 13:59:55 -0600
From:   Brijesh Singh <brijesh.singh@....com>
To:     Al Viro <viro@...IV.linux.org.uk>
Cc:     brijesh.singh@....com, kvm@...r.kernel.org,
        Paolo Bonzini <pbonzini@...hat.com>,
        Radim Krčmář <rkrcmar@...hat.com>,
        Borislav Petkov <bp@...e.de>,
        Tom Lendacky <thomas.lendacky@....com>,
        linux-kernel@...r.kernel.org, Joerg Roedel <joro@...tes.org>
Subject: Re: [PATCH] KVM: SVM: Fix sparse: incorrect type in argument 1
 (different base types)



On 2/21/18 11:49 AM, Al Viro wrote:
> On Mon, Feb 19, 2018 at 10:12:28AM -0600, Brijesh Singh wrote:
>> Fix sparse: incorrect type in argument 1 (different base types). Typecast
>> the userspace address argument.
> Better question: why the hell do we want that access_ok(), anyway?  The only
> thing we do to params.uaddr is
>         if (blob) {
>                 if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
>                         ret = -EFAULT;
>         }
>
> downstream.  What does that access_ok() buy us?  It does not guarantee that
> copy_to_user() won't fail.  


Sure, checking access_ok() does not guarantee that later
copy_from_user() will not fail. But it does eliminate one possible
reason for the failure. We are trying to validate most of the user
inputs before we invoke  SEV command. The SEV command handler does heavy
lifting (which includes setting up PSP mailbox,  issuing FW command, 
and handling the response etc). I would like to avoid invoking SEV
command when we know for sure that copy_to_user() will fail later.


> It does not clamp params.len (we'd just done
> that explicitly).  So why not somethings like this:
>
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> index b3e488a74828..ba2c1a606985 100644
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -6239,13 +6239,15 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
>  	struct kvm_sev_info *sev = &kvm->arch.sev_info;
>  	struct sev_data_launch_measure *data;
>  	struct kvm_sev_launch_measure params;
> +	void __user *measure = (void __user *)(uintptr_t)argp->data;
> +	void __user *p = NULL;
>  	void *blob = NULL;
>  	int ret;
>  
>  	if (!sev_guest(kvm))
>  		return -ENOTTY;
>  
> -	if (copy_from_user(&params, (void __user *)(uintptr_t)argp->data, sizeof(params)))
> +	if (copy_from_user(&params, measure, sizeof(params)))
>  		return -EFAULT;
>  
>  	data = kzalloc(sizeof(*data), GFP_KERNEL);
> @@ -6256,17 +6258,13 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
>  	if (!params.len)
>  		goto cmd;
>  
> -	if (params.uaddr) {
> +	p = (void __user *)(uintptr_t)params.uaddr;
> +	if (p) {
>  		if (params.len > SEV_FW_BLOB_MAX_SIZE) {
>  			ret = -EINVAL;
>  			goto e_free;
>  		}
>  
> -		if (!access_ok(VERIFY_WRITE, params.uaddr, params.len)) {
> -			ret = -EFAULT;
> -			goto e_free;
> -		}
> -
>  		ret = -ENOMEM;
>  		blob = kmalloc(params.len, GFP_KERNEL);
>  		if (!blob)
> @@ -6290,13 +6288,13 @@ static int sev_launch_measure(struct kvm *kvm, struct kvm_sev_cmd *argp)
>  		goto e_free_blob;
>  
>  	if (blob) {
> -		if (copy_to_user((void __user *)(uintptr_t)params.uaddr, blob, params.len))
> +		if (copy_to_user(p, blob, params.len))
>  			ret = -EFAULT;
>  	}
>  
>  done:
>  	params.len = data->len;
> -	if (copy_to_user((void __user *)(uintptr_t)argp->data, &params, sizeof(params)))
> +	if (copy_to_user(measure, &params, sizeof(params)))
>  		ret = -EFAULT;
>  e_free_blob:
>  	kfree(blob);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ