[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YIbzgRAT9j4HR3xK@kroah.com>
Date: Mon, 26 Apr 2021 19:08:17 +0200
From: Greg KH <greg@...ah.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: Tavis Ormandy <taviso@...il.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the
request-header once"
On Thu, Apr 22, 2021 at 01:16:01AM +0000, Al Viro wrote:
> On Wed, Apr 21, 2021 at 03:14:29PM -0000, Tavis Ormandy wrote:
> > On 2021-04-21, Greg Kroah-Hartman wrote:
> > > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba.
> > >
> > > - *((struct vbg_ioctl_hdr *)buf) = hdr;
> > > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
> > > - hdr.size_in - sizeof(hdr))) {
> > > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
> > > ret = -EFAULT;
> > > goto out;
> > > }
> >
> > This one seems like a real bugfix, otherwise there's a double-fetch from
> > userspace, and a TOCTOU with the hdr fields that could cause a OOB read.
>
> ACK, except that typecasts in there are messy as hell. But that's,
> alas, consistent with the rest of the function...
>
> Patch itself is correct, and AFAICS Wenwen Wang <wang6495@....edu>
> might be an innocent collateral damage from that mess - commits from that
> source appear to be fairly well-written.
I've dropped it from my tree now, thanks for the review.
greg k-h
Powered by blists - more mailing lists