lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <86ed5wvixw.wl-maz@kernel.org>
Date: Fri, 06 Sep 2024 17:35:39 +0100
From: Marc Zyngier <maz@...nel.org>
To: Snehal Koukuntla <snehalreddy@...gle.com>
Cc: Oliver Upton <oliver.upton@...ux.dev>,
	James Morse <james.morse@....com>,
	Suzuki K Poulose <suzuki.poulose@....com>,
	Zenghui Yu <yuzenghui@...wei.com>,
	Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will@...nel.org>,
	Sudeep Holla <sudeep.holla@....com>,
	Sebastian Ene <sebastianene@...gle.com>,
	Vincent Donnefort <vdonnefort@...gle.com>,
	Jean-Philippe Brucker <jean-philippe@...aro.org>,
	linux-arm-kernel@...ts.infradead.org,
	kvmarm@...ts.linux.dev,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: arm64: Add memory length checks before it is xfered

Hi Snehal,

On Fri, 06 Sep 2024 10:27:32 +0100,
Snehal Koukuntla <snehalreddy@...gle.com> wrote:
> 
> From: Snehal <snehalreddy@...gle.com>
> 
> Check size during allocation to fix discrepancy in memory reclaim path.
> Currently only happens during memory reclaim, inconsistent with mem_xfer

Can you please elaborate? It doesn't seem to fail at allocation time
here, as everything is pre-allocated. Some context would greatly help,
as my FFA-foo is as basic as it gets (I did read the spec once and ran
away screaming).

>
> Signed-off-by: Snehal Koukuntla <snehalreddy@...gle.com>

The From: and Signed-off-by: tags do not match. You may want to add a
[user] section to your .gitconfig with your full name so that this
issue is sorted once and for all.

> ---
>  arch/arm64/kvm/hyp/nvhe/ffa.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> index e715c157c2c4..e9223cc4f913 100644
> --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> @@ -461,6 +461,11 @@ static __always_inline void do_ffa_mem_xfer(const u64 func_id,

/facepalm: why do we have this __always_inline here? Nothing to do
with your patch, but definitely worth understanding why it is
required.

>  		goto out_unlock;
>  	}
>  
> +	if (len > ffa_desc_buf.len) {
> +		ret = FFA_RET_NO_MEMORY;
> +		goto out_unlock;
> +	}
> +

It took some digging to understand how the various queues are sized,
and a comment explaining the relation between ffa_desc_buf and the
other queues would be very welcome.

I also notice that we have other places (apparently dealing with
fragments) that do not have such checks. Do they need anything else?

>  	buf = hyp_buffers.tx;
>  	memcpy(buf, host_buffers.tx, fraglen);
>  

Finally, this probably deserves a Fixes: tag and a Cc: stable so that
it can be backported.

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ