[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YIDOUetRRiizeOBX@zeniv-ca.linux.org.uk>
Date: Thu, 22 Apr 2021 01:16:01 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Tavis Ormandy <taviso@...il.com>
Cc: linux-kernel@...r.kernel.org
Subject: Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the
request-header once"
On Wed, Apr 21, 2021 at 03:14:29PM -0000, Tavis Ormandy wrote:
> On 2021-04-21, Greg Kroah-Hartman wrote:
> > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba.
> >
> > - *((struct vbg_ioctl_hdr *)buf) = hdr;
> > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
> > - hdr.size_in - sizeof(hdr))) {
> > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
> > ret = -EFAULT;
> > goto out;
> > }
>
> This one seems like a real bugfix, otherwise there's a double-fetch from
> userspace, and a TOCTOU with the hdr fields that could cause a OOB read.
ACK, except that typecasts in there are messy as hell. But that's,
alas, consistent with the rest of the function...
Patch itself is correct, and AFAICS Wenwen Wang <wang6495@....edu>
might be an innocent collateral damage from that mess - commits from that
source appear to be fairly well-written.
Powered by blists - more mailing lists