lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 26 Jul 2020 23:53:10 +0000 From: Haiyang Zhang <haiyangz@...rosoft.com> To: Andres Beltran <lkmlabelt@...il.com>, Stephen Hemminger <stephen@...workplumber.org> CC: KY Srinivasan <kys@...rosoft.com>, Stephen Hemminger <sthemmin@...rosoft.com>, Wei Liu <wei.liu@...nel.org>, "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Michael Kelley <mikelley@...rosoft.com>, Andrea Parri <parri.andrea@...il.com>, Saruhan Karademir <skarade@...rosoft.com> Subject: RE: [PATCH] Drivers: hv: vmbus: Fix variable assignments in hv_ringbuffer_read() > -----Original Message----- > From: Andres Beltran <lkmlabelt@...il.com> > Sent: Friday, July 24, 2020 7:04 PM > To: Stephen Hemminger <stephen@...workplumber.org> > Cc: KY Srinivasan <kys@...rosoft.com>; Haiyang Zhang > <haiyangz@...rosoft.com>; Stephen Hemminger <sthemmin@...rosoft.com>; > Wei Liu <wei.liu@...nel.org>; linux-hyperv@...r.kernel.org; linux- > kernel@...r.kernel.org; Michael Kelley <mikelley@...rosoft.com>; Andrea > Parri <parri.andrea@...il.com>; Saruhan Karademir > <skarade@...rosoft.com> > Subject: Re: [PATCH] Drivers: hv: vmbus: Fix variable assignments in > hv_ringbuffer_read() > > On Fri, Jul 24, 2020 at 1:10 PM Stephen Hemminger > <stephen@...workplumber.org> wrote: > > What is the rationale for this change, it may break other code. > > > > A common API model in Windows world where this originated > > is to have a call where caller first > > makes request and then if the requested buffer is not big enough the > > caller look at the actual length and allocate a bigger buffer. > > > > Did you audit all the users of this API to make sure they aren't doing that. > > > > The rationale for the change was to solve instances like the one > @Haiyang Zhang pointed out, especially in hv_utils, which needs > additional hardening. Unfortunately, there is an instance in > hv_pci_onchannelcallback() that does what you just described. Thus, > the fix will have to be made to all the callers of vmbus_recvpacket() > and vmbus_recvpacket_raw() to make sure they check the return value, > which most callers are not doing now. Thanks for pointing out this > behavior. I was not aware that the length can be checked by callers to > allocate a bigger buffer. To prevent future coding error, please add code comments for hv_ringbuffer_read() to indicate that the buffer_actual_len may be nonzero when the function fails, and should not be used to determine if the function succeeds or not. Thanks, - Haiyang
Powered by blists - more mailing lists