| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7dc11da9-ddd5-d73e-ce76-7ecbd78b946a@oracle.com>
Date: Mon, 28 Nov 2022 18:05:22 +0530
From: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To: Stefano Garzarella <sgarzare@...hat.com>,
Dan Carpenter <error27@...il.com>
Cc: harshit.m.mogalapalli@...il.com,
"Michael S . Tsirkin" <mst@...hat.com>,
Jason Wang <jasowang@...hat.com>,
Xie Yongji <xieyongji@...edance.com>,
Gautam Dawar <gautam.dawar@...inx.com>,
Parav Pandit <parav@...dia.com>, Eli Cohen <elic@...dia.com>,
virtualization@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] vduse: Validate vq_num in vduse_validate_config()
On 28/11/22 4:43 pm, Stefano Garzarella wrote:
> On Mon, Nov 28, 2022 at 01:58:00PM +0300, Dan Carpenter wrote:
>> On Mon, Nov 28, 2022 at 11:53:12AM +0100, Stefano Garzarella wrote:
>>> On Mon, Nov 28, 2022 at 12:36:26AM -0800, Harshit Mogalapalli wrote:
>>> > Add a limit to 'config->vq_num' which is user controlled data which
>>> > comes from an vduse_ioctl to prevent large memory allocations.
>>> >
>>> > This is found using static analysis with smatch.
>>> >
>>> > Suggested-by: Michael S. Tsirkin <mst@...hat.com>
>>> > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
>>> > ---
>>> > v1->v2: Change title of the commit and description, add a limit to
>>> > vq_num.
>>> >
>>> > Note: I think here 0xffff is the max size of vring = no: of vqueues.
>>> > Only compile and boot tested.
>>> > ---
>>> > drivers/vdpa/vdpa_user/vduse_dev.c | 3 +++
>>> > 1 file changed, 3 insertions(+)
>>> >
>>> > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c
>>> b/drivers/vdpa/vdpa_user/vduse_dev.c
>>> > index 35dceee3ed56..31017ebc4d7c 100644
>>> > --- a/drivers/vdpa/vdpa_user/vduse_dev.c
>>> > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
>>> > @@ -1440,6 +1440,9 @@ static bool vduse_validate_config(struct
>>> vduse_dev_config *config)
>>> > if (config->config_size > PAGE_SIZE)
>>> > return false;
>>> >
>>> > + if (config->vq_num > 0xffff)
>>>
>>> What about using U16_MAX here?
>>
>> Where is the ->vq_num stored in a u16? I looked for this but didn't
>> see it.
>
> I thought vq_num referred to the number of elements in the vq (like
> .get_vq_num_max), since this patch wants to limit to 0xffff.
>
> But it actually refers to the number of virtqueue, so @Harshit why do we
> limit it to 0xffff?
>
Hi Stefano,
I may be incorrect about the details of this driver, my v1 was purely
based on static analysis, Micheal suggested me to put a limit of 0xffff
on vq_num. I really don't know about the driver, while I was searching
other parts of code, I thought 0xffff is based vring size, I have asked
the same question on v1 today.
Ref to v1:
https://lore.kernel.org/all/82e8ce27-0743-59bf-fbe8-a25093167451@oracle.com/
> Maybe we should explain it in the commit message or in a comment.
>
yeah, we should clarify the limit in commit message, once Micheal shares
about the limit '0xffff), I will add those details and send a next
version if that's okay.
Thanks,
Harshit
> Thanks,
> Stefano
>
Powered by blists - more mailing lists