| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <83c010a7b8821309a023e41efbabb7e96f156eec.camel@kernel.org>
Date: Wed, 31 May 2023 20:17:49 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Stefan Berger <stefanb@...ux.ibm.com>,
linux-integrity@...r.kernel.org
Cc: Jason Gunthorpe <jgg@...dia.com>,
Alejandro Cabrera <alejandro.cabreraaldaya@...i.fi>,
Jarkko Sakkinen <jarkko.sakkinen@...i.fi>,
stable@...r.kernel.org, Stefan Berger <stefanb@...ux.vnet.ibm.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC v2] tpm: tpm_vtpm_proxy: do not reference kernel
memory as user memory
On Tue, 2023-05-30 at 13:45 -0400, Stefan Berger wrote:
>
> On 5/29/23 22:01, Jarkko Sakkinen wrote:
> > From: Jarkko Sakkinen <jarkko.sakkinen@...i.fi>
> >
>
> > - rc = copy_to_user(buf, proxy_dev->buffer, len);
> > + if (buf)
> > + rc = copy_to_user(buf, proxy_dev->buffer, len);
> > +
>
> Looking through other drivers it seems buf is always expected to be a valid non-NULL pointer on file_operations.read().
>
>
> https://elixir.bootlin.com/linux/latest/source/arch/x86/mm/tlb.c#L1279 simple_read_from_buffer will pass the pointer to the user buffer along and it ('to') ends up in copy_to_user(to, ...);
>
>
> Same here: https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_fs.c#L41
It is good to mention here that IMA uses __user tagged pointers
correctly, and it does not really compare to the vtpm driver code
by any possible means. So let's not add illegit comparison points.
BR, Jarkko
Powered by blists - more mailing lists