| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Dec 2020 17:10:26 +0000
From: Michael Kelley <mikelley@...rosoft.com>
To: "Andrea Parri (Microsoft)" <parri.andrea@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: KY Srinivasan <kys@...rosoft.com>,
Haiyang Zhang <haiyangz@...rosoft.com>,
Stephen Hemminger <sthemmin@...rosoft.com>,
Wei Liu <wei.liu@...nel.org>,
"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
Juan Vazquez <juvazq@...rosoft.com>,
Saruhan Karademir <skarade@...rosoft.com>
Subject: RE: [PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in
vmbus_on_msg_dpc()
From: Andrea Parri (Microsoft) <parri.andrea@...il.com> Sent: Wednesday, November 18, 2020 6:37 AM
>
> vmbus_on_msg_dpc() double fetches from msgtype. The double fetch can
> lead to an out-of-bound access when accessing the channel_message_table
> array. In turn, the use of the out-of-bound entry could lead to code
> execution primitive (entry->message_handler()). Avoid the double fetch
> by saving the value of msgtype into a local variable.
The commit message is missing some context. Why is a double fetch a
problem? The comments below in the code explain why, but the why
should also be briefly explained in the commit message.
>
> Reported-by: Juan Vazquez <juvazq@...rosoft.com>
> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@...il.com>
> ---
> drivers/hv/vmbus_drv.c | 18 +++++++++++++-----
> 1 file changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> index 0a2711aa63a15..82b23baa446d7 100644
> --- a/drivers/hv/vmbus_drv.c
> +++ b/drivers/hv/vmbus_drv.c
> @@ -1057,6 +1057,7 @@ void vmbus_on_msg_dpc(unsigned long data)
> struct hv_message *msg = (struct hv_message *)page_addr +
> VMBUS_MESSAGE_SINT;
> struct vmbus_channel_message_header *hdr;
> + enum vmbus_channel_message_type msgtype;
> const struct vmbus_channel_message_table_entry *entry;
> struct onmessage_work_context *ctx;
> u32 message_type = msg->header.message_type;
> @@ -1072,12 +1073,19 @@ void vmbus_on_msg_dpc(unsigned long data)
> /* no msg */
> return;
>
> + /*
> + * The hv_message object is in memory shared with the host. The host
> + * could erroneously or maliciously modify such object. Make sure to
> + * validate its fields and avoid double fetches whenever feasible.
The "when feasible" phrase sounds like not doing double fetches is optional in
some circumstances. But I think we always have to protect against modification
of memory shared with the host. So perhaps the comment should be more
precise.
> + */
> +
> hdr = (struct vmbus_channel_message_header *)msg->u.payload;
> + msgtype = hdr->msgtype;
>
> trace_vmbus_on_msg_dpc(hdr);
>
> - if (hdr->msgtype >= CHANNELMSG_COUNT) {
> - WARN_ONCE(1, "unknown msgtype=%d\n", hdr->msgtype);
> + if (msgtype >= CHANNELMSG_COUNT) {
> + WARN_ONCE(1, "unknown msgtype=%d\n", msgtype);
> goto msg_handled;
> }
>
> @@ -1087,14 +1095,14 @@ void vmbus_on_msg_dpc(unsigned long data)
> goto msg_handled;
> }
>
> - entry = &channel_message_table[hdr->msgtype];
> + entry = &channel_message_table[msgtype];
>
> if (!entry->message_handler)
> goto msg_handled;
>
> if (msg->header.payload_size < entry->min_payload_len) {
> WARN_ONCE(1, "message too short: msgtype=%d len=%d\n",
> - hdr->msgtype, msg->header.payload_size);
> + msgtype, msg->header.payload_size);
> goto msg_handled;
> }
>
> @@ -1115,7 +1123,7 @@ void vmbus_on_msg_dpc(unsigned long data)
> * by offer_in_progress and by channel_mutex. See also the
> * inline comments in vmbus_onoffer_rescind().
> */
> - switch (hdr->msgtype) {
> + switch (msgtype) {
> case CHANNELMSG_RESCIND_CHANNELOFFER:
> /*
> * If we are handling the rescind message;
> --
> 2.25.1
Powered by blists - more mailing lists