lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7dc11da9-ddd5-d73e-ce76-7ecbd78b946a@oracle.com>
Date:   Mon, 28 Nov 2022 18:05:22 +0530
From:   Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To:     Stefano Garzarella <sgarzare@...hat.com>,
        Dan Carpenter <error27@...il.com>
Cc:     harshit.m.mogalapalli@...il.com,
        "Michael S . Tsirkin" <mst@...hat.com>,
        Jason Wang <jasowang@...hat.com>,
        Xie Yongji <xieyongji@...edance.com>,
        Gautam Dawar <gautam.dawar@...inx.com>,
        Parav Pandit <parav@...dia.com>, Eli Cohen <elic@...dia.com>,
        virtualization@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] vduse: Validate vq_num in vduse_validate_config()



On 28/11/22 4:43 pm, Stefano Garzarella wrote:
> On Mon, Nov 28, 2022 at 01:58:00PM +0300, Dan Carpenter wrote:
>> On Mon, Nov 28, 2022 at 11:53:12AM +0100, Stefano Garzarella wrote:
>>> On Mon, Nov 28, 2022 at 12:36:26AM -0800, Harshit Mogalapalli wrote:
>>> > Add a limit to 'config->vq_num' which is user controlled data which
>>> > comes from an vduse_ioctl to prevent large memory allocations.
>>> >
>>> > This is found using static analysis with smatch.
>>> >
>>> > Suggested-by: Michael S. Tsirkin <mst@...hat.com>
>>> > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
>>> > ---
>>> > v1->v2: Change title of the commit and description, add a limit to
>>> >     vq_num.
>>> >
>>> > Note: I think here 0xffff is the max size of vring =  no: of vqueues.
>>> > Only compile and boot tested.
>>> > ---
>>> > drivers/vdpa/vdpa_user/vduse_dev.c | 3 +++
>>> > 1 file changed, 3 insertions(+)
>>> >
>>> > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c 
>>> b/drivers/vdpa/vdpa_user/vduse_dev.c
>>> > index 35dceee3ed56..31017ebc4d7c 100644
>>> > --- a/drivers/vdpa/vdpa_user/vduse_dev.c
>>> > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
>>> > @@ -1440,6 +1440,9 @@ static bool vduse_validate_config(struct 
>>> vduse_dev_config *config)
>>> >     if (config->config_size > PAGE_SIZE)
>>> >         return false;
>>> >
>>> > +    if (config->vq_num > 0xffff)
>>>
>>> What about using U16_MAX here?
>>
>> Where is the ->vq_num stored in a u16?  I looked for this but didn't
>> see it.
> 
> I thought vq_num referred to the number of elements in the vq (like 
> .get_vq_num_max), since this patch wants to limit to 0xffff.
> 
> But it actually refers to the number of virtqueue, so @Harshit why do we 
> limit it to 0xffff?
> 

Hi Stefano,

I may be incorrect about the details of this driver, my v1 was purely 
based on static analysis, Micheal suggested me to put a limit of 0xffff 
on vq_num. I really don't know about the driver, while I was searching 
other parts of code, I thought 0xffff is based vring size, I have asked 
the same question on v1 today.

Ref to v1: 
https://lore.kernel.org/all/82e8ce27-0743-59bf-fbe8-a25093167451@oracle.com/

> Maybe we should explain it in the commit message or in a comment.
> 

yeah, we should clarify the limit in commit message, once Micheal shares 
about the limit '0xffff), I will add those details and send a next 
version if that's okay.


Thanks,
Harshit
> Thanks,
> Stefano
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ