lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210209042530-mutt-send-email-mst@kernel.org>
Date:   Tue, 9 Feb 2021 04:31:23 -0500
From:   "Michael S. Tsirkin" <mst@...hat.com>
To:     Jason Wang <jasowang@...hat.com>
Cc:     Stefano Garzarella <sgarzare@...hat.com>,
        virtualization@...ts.linux-foundation.org,
        Parav Pandit <parav@...dia.com>, Eli Cohen <elic@...dia.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()

On Tue, Feb 09, 2021 at 11:24:03AM +0800, Jason Wang wrote:
> 
> On 2021/2/9 上午2:38, Michael S. Tsirkin wrote:
> > On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> > > It's legal to have 'offset + len' equal to
> > > sizeof(struct virtio_net_config), since 'ndev->config' is a
> > > 'struct virtio_net_config', so we can safely copy its content under
> > > this condition.
> > > 
> > > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
> > > Cc: stable@...r.kernel.org
> > > Signed-off-by: Stefano Garzarella <sgarzare@...hat.com>
> > > ---
> > >   drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > > index dc88559a8d49..10e9b09932eb 100644
> > > --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > > +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > > @@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
> > >   	struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
> > >   	struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
> > > -	if (offset + len < sizeof(struct virtio_net_config))
> > > +	if (offset + len <= sizeof(struct virtio_net_config))
> > >   		memcpy(buf, (u8 *)&ndev->config + offset, len);
> > >   }
> > Actually first I am not sure we need these checks at all.
> > vhost_vdpa_config_validate already validates the values, right?
> 
> 
> I think they're working at different levels. There's no guarantee that
> vhost-vdpa is the driver for this vdpa device.

In fact, get_config returns void, so userspace can easily get
trash if it passes incorrect parameters by mistake, there is
no way for userspace to find out whether that is the case :(

Any objections to returning the # of bytes copied, or -1
on error?

> 
> > 
> > Second, what will happen when we extend the struct and then
> > run new userspace on an old kernel? Looks like it will just
> > fail right? So what is the plan?
> 
> 
> In this case, get_config() should match the spec behaviour. That is to say
> the size of config space depends on the feature negotiated.
> 
> Thanks

Yes but spec says config space can be bigger than specified by features:

	Drivers MUST NOT limit structure size and device configuration space size. Instead, drivers SHOULD only
	check that device configuration space is large enough to contain the fields necessary for device operation.



> 
> >   I think we should
> > allow a bigger size, and return the copied config size to userspace.
> > 
> > 
> > > -- 
> > > 2.29.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ