lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 01 Jul 2022 20:22:21 +0800
From:   Schspa Shi <schspa@...il.com>
To:     Marc Zyngier <maz@...nel.org>
Cc:     james.morse@....com, alexandru.elisei@....com,
        suzuki.poulose@....com, catalin.marinas@....com, will@...nel.org,
        linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.cs.columbia.edu,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: arm64: Fix 64 bit mmio handle


Marc Zyngier <maz@...nel.org> writes:

> On 2022-06-30 17:50, Schspa Shi wrote:
>> Marc Zyngier <maz@...nel.org> writes:
>> 
>>> On Thu, 30 Jun 2022 17:12:20 +0100,
>>> Schspa Shi <schspa@...il.com> wrote:
>>>> If the len is 8 bytes, we can't get the correct sign extend 
>>>> for
>>>> be system.
>>> I'm afraid you'll have to give me a bit more details.
>>> 
>>>> Fix the mask type len and the comparison of length.
>>>> Signed-off-by: Schspa Shi <schspa@...il.com>
>>>> ---
>>>>  arch/arm64/kvm/mmio.c | 4 ++--
>>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>> diff --git a/arch/arm64/kvm/mmio.c b/arch/arm64/kvm/mmio.c
>>>> index 3dd38a151d2a6..0692f8b18f35c 100644
>>>> --- a/arch/arm64/kvm/mmio.c
>>>> +++ b/arch/arm64/kvm/mmio.c
>>>> @@ -81,8 +81,8 @@ unsigned long kvm_mmio_read_buf(const void 
>>>> *buf, unsigned
>>>> int len)
>>>>  int kvm_handle_mmio_return(struct kvm_vcpu *vcpu)
>>>>  {
>>>>  	unsigned long data;
>>>> +	unsigned long mask;
>>>>  	unsigned int len;
>>>> -	int mask;
>>>>   	/* Detect an already handled MMIO return */
>>>>  	if (unlikely(!vcpu->mmio_needed))
>>>> @@ -97,7 +97,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu 
>>>> *vcpu)
>>>>  		data = kvm_mmio_read_buf(run->mmio.data, len);
>>>>   		if (kvm_vcpu_dabt_issext(vcpu) &&
>>>> -		    len < sizeof(unsigned long)) {
>>>> +		    len <= sizeof(unsigned long)) {
>>> If you're reading an 8 byte quantity, what is there to 
>>> sign-extend?
>>> Sign extension only makes sense if what you're reading is 
>>> *smaller*
>>> than the size of the register you are targeting.
>>> 
>> Yes, you are correct, sorry for my bad patch.
>> Please ignore this patch.
>> 
>>> I must be missing something. And how is that related to 
>>> running BE? BE
>>> in the host? The guest?
>> I mean BE is for guest running with BE mode.
>
> So what problem did you see? If you have noticed something going
> wrong, I'd like to get it fixed.
>

I have running some static code analysis software upon Kernel 
code.
Seeing there is possible overflow.

maks << 1U << ((len * 8) -1);

The AI don't know, len is only the value of 1, 2, 4, and make this
a warnings

I tring to analysis this, but didn't realize the real scenario of
sign extension, and finally sent this problematic patch.

I do see some uninitialized memory reads (the values are not used
in the end, just as temporary space for API execution),
do we need to fix these?

> Thanks,
>
>          M.


-- 
Schspa Shi
BRs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ