lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 28 Nov 2022 14:08:51 +0530
From:   Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To:     "Michael S. Tsirkin" <mst@...hat.com>
Cc:     error27@...il.com, harshit.m.mogalapalli@...il.com,
        Jason Wang <jasowang@...hat.com>,
        Xie Yongji <xieyongji@...edance.com>,
        Gautam Dawar <gautam.dawar@...inx.com>,
        Maxime Coquelin <maxime.coquelin@...hat.com>,
        Guanjun <guanjun@...ux.alibaba.com>,
        Parav Pandit <parav@...dia.com>, Eli Cohen <elic@...dia.com>,
        virtualization@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev()

Hi Micheal,

On 27/11/22 10:04 pm, Michael S. Tsirkin wrote:
> On Sun, Nov 27, 2022 at 08:16:24AM +0530, Harshit Mogalapalli wrote:
>> Hi Micheal,
>>
>> On 27/11/22 4:52 am, Michael S. Tsirkin wrote:
>>> On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote:
>>>> As 'dev->vq_num' is user-controlled data, if user tries to allocate
>>>> memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
>>>> creates a stack trace and messes up dmesg with a warning.
>>>>
>>>> Call trace:
>>>> -> vduse_ioctl
>>>> --> vduse_create_dev
>>>> 'config->vq_num' is user data as it comes from ioctl, which is
>>>> assigned to 'dev->vq_num'.
>>>>
>>>> Add __GFP_NOWARN in order to avoid too large allocation warning.
>>>> This is detected by static analysis using smatch.
>>>>
>>>> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
>>>> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
>>>> ---
>>>>    drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
>>>>    1 file changed, 2 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
>>>> index 35dceee3ed56..5e9546b16165 100644
>>>> --- a/drivers/vdpa/vdpa_user/vduse_dev.c
>>>> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
>>>> @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config,
>>>>    	dev->config_size = config->config_size;
>>>>    	dev->vq_align = config->vq_align;
>>>>    	dev->vq_num = config->vq_num;
>>>> -	dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL);
>>>> +	dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs),
>>>> +			   GFP_KERNEL | __GFP_NOWARN);
>>>>    	if (!dev->vqs)
>>>>    		goto err_vqs;
>>>
>>
>> Thanks for checking the patch.
>>
>>> This is insufficient - the real source of the problem is that
>>> vq_num is not validated.
>>> The thing to do is to validate config and limit vq_num to 0xffff;
>>>
>>
>> 1557 static long vduse_ioctl(struct file *file, unsigned int cmd,
>> 1558                         unsigned long arg)
>> 1559 {
>> 1560         int ret;
>> 1561         void __user *argp = (void __user *)arg;
>> 1564         mutex_lock(&vduse_lock);
>> 1565         switch (cmd) {
>>               ....
>> 1584         case VDUSE_CREATE_DEV: {
>> 1585                 struct vduse_dev_config config;
>> 1587                 void *buf;
>> 1588
>> 1589                 ret = -EFAULT;
>> 1590                 if (copy_from_user(&config, argp, size))
>> 1591                         break;
>> 1592
>> 1593                 ret = -EINVAL;
>> 1594                 if (vduse_validate_config(&config) == false)
>> 1595                         break;
>> 1596
>> 1597                 buf = vmemdup_user(argp + size, config.config_size);
>> 1598                 if (IS_ERR(buf)) {
>> 1599                         ret = PTR_ERR(buf);
>> 1600                         break;
>> 1601                 }
>> 1602                 config.name[VDUSE_NAME_MAX - 1] = '\0';
>> 1603                 ret = vduse_create_dev(&config, buf,
>> control->api_version);
>> 1604                 if (ret)
>> 1605                         kvfree(buf);
>> 1606                 break;
>> 1607         }
>>
>> we have vduse_validate_config() being called in vduse_ioctl() which is the
>> caller of vduse_create_dev(), so validate_config() is not necessary in
>> vduse_create_dev() ?
>>
>> Thanks,
>> Harshit
> 
> OK but I don't see vduse_validate_config checking vq_num.
> 

right, I have added a limit of 0xffff to vq_num as you suggested in V2.

The reason for keeping the limit as 0xffff is the max number of virt 
queues is the size of vring buffer?

Thanks,
Harshit

>>>
>>>> -- 
>>>> 2.38.1
>>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ