| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Dec 2020 17:14:18 +0000
From: Michael Kelley <mikelley@...rosoft.com>
To: "Andrea Parri (Microsoft)" <parri.andrea@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: KY Srinivasan <kys@...rosoft.com>,
Haiyang Zhang <haiyangz@...rosoft.com>,
Stephen Hemminger <sthemmin@...rosoft.com>,
Wei Liu <wei.liu@...nel.org>,
"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
Juan Vazquez <juvazq@...rosoft.com>,
Saruhan Karademir <skarade@...rosoft.com>
Subject: RE: [PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of
payload_size in vmbus_on_msg_dpc()
From: Andrea Parri (Microsoft) <parri.andrea@...il.com> Sent: Wednesday, November 18, 2020 6:37 AM
>
> vmbus_on_msg_dpc() double fetches from payload_size. The double fetch
> can lead to a buffer overflow when (mem)copying the hv_message object.
> Avoid the double fetch by saving the value of payload_size into a local
> variable.
Similar comment here about providing some brief context in the commit
message on the problem that we are guarding against by removing the
double fetch.
I could see combining this patch with the previous one since the
motivation and pattern of the changes are exactly the same, just for
two different fields.
Michael
>
> Reported-by: Juan Vazquez <juvazq@...rosoft.com>
> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@...il.com>
> ---
> drivers/hv/vmbus_drv.c | 17 +++++++----------
> 1 file changed, 7 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> index 82b23baa446d7..0e39f1d6182e9 100644
> --- a/drivers/hv/vmbus_drv.c
> +++ b/drivers/hv/vmbus_drv.c
> @@ -1056,6 +1056,7 @@ void vmbus_on_msg_dpc(unsigned long data)
> void *page_addr = hv_cpu->synic_message_page;
> struct hv_message *msg = (struct hv_message *)page_addr +
> VMBUS_MESSAGE_SINT;
> + __u8 payload_size = msg->header.payload_size;
> struct vmbus_channel_message_header *hdr;
> enum vmbus_channel_message_type msgtype;
> const struct vmbus_channel_message_table_entry *entry;
> @@ -1089,9 +1090,8 @@ void vmbus_on_msg_dpc(unsigned long data)
> goto msg_handled;
> }
>
> - if (msg->header.payload_size > HV_MESSAGE_PAYLOAD_BYTE_COUNT) {
> - WARN_ONCE(1, "payload size is too large (%d)\n",
> - msg->header.payload_size);
> + if (payload_size > HV_MESSAGE_PAYLOAD_BYTE_COUNT) {
> + WARN_ONCE(1, "payload size is too large (%d)\n", payload_size);
> goto msg_handled;
> }
>
> @@ -1100,21 +1100,18 @@ void vmbus_on_msg_dpc(unsigned long data)
> if (!entry->message_handler)
> goto msg_handled;
>
> - if (msg->header.payload_size < entry->min_payload_len) {
> - WARN_ONCE(1, "message too short: msgtype=%d len=%d\n",
> - msgtype, msg->header.payload_size);
> + if (payload_size < entry->min_payload_len) {
> + WARN_ONCE(1, "message too short: msgtype=%d len=%d\n", msgtype,
> payload_size);
> goto msg_handled;
> }
>
> if (entry->handler_type == VMHT_BLOCKING) {
> - ctx = kmalloc(sizeof(*ctx) + msg->header.payload_size,
> - GFP_ATOMIC);
> + ctx = kmalloc(sizeof(*ctx) + payload_size, GFP_ATOMIC);
> if (ctx == NULL)
> return;
>
> INIT_WORK(&ctx->work, vmbus_onmessage_work);
> - memcpy(&ctx->msg, msg, sizeof(msg->header) +
> - msg->header.payload_size);
> + memcpy(&ctx->msg, msg, sizeof(msg->header) + payload_size);
>
> /*
> * The host can generate a rescind message while we
> --
> 2.25.1
Powered by blists - more mailing lists