| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200331075603.GB26583@infradead.org>
Date: Tue, 31 Mar 2020 00:56:03 -0700
From: Christoph Hellwig <hch@...radead.org>
To: "Liu, Yi L" <yi.l.liu@...el.com>
Cc: alex.williamson@...hat.com, eric.auger@...hat.com,
jean-philippe@...aro.org, kevin.tian@...el.com,
ashok.raj@...el.com, kvm@...r.kernel.org, jun.j.tian@...el.com,
iommu@...ts.linux-foundation.org, linux-kernel@...r.kernel.org,
yi.y.sun@...el.com, hao.wu@...el.com
Subject: Re: [PATCH v1 7/8] vfio/type1: Add VFIO_IOMMU_CACHE_INVALIDATE
> @@ -2629,6 +2638,46 @@ static long vfio_iommu_type1_ioctl(void *iommu_data,
> }
> kfree(gbind_data);
> return ret;
> + } else if (cmd == VFIO_IOMMU_CACHE_INVALIDATE) {
Please refactor the spaghetti in this ioctl handler to use a switch
statement and a helper function per command before growing it even more.
> + /* Get the version of struct iommu_cache_invalidate_info */
> + if (copy_from_user(&version,
> + (void __user *) (arg + minsz), sizeof(version)))
> + return -EFAULT;
> +
> + info_size = iommu_uapi_get_data_size(
> + IOMMU_UAPI_CACHE_INVAL, version);
> +
> + cache_info = kzalloc(info_size, GFP_KERNEL);
> + if (!cache_info)
> + return -ENOMEM;
> +
> + if (copy_from_user(cache_info,
> + (void __user *) (arg + minsz), info_size)) {
The user might have changed the version while you were allocating and
freeing the memory, introducing potentially exploitable racing
conditions.
Powered by blists - more mailing lists