lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a74cfc12-f404-47ca-85a8-164da22bdbfc@linux.ibm.com>
Date: Wed, 6 Nov 2024 09:54:33 +0100
From: Janosch Frank <frankja@...ux.ibm.com>
To: Heiko Carstens <hca@...ux.ibm.com>, Steffen Eiden <seiden@...ux.ibm.com>
Cc: linux-kernel@...r.kernel.org, linux-s390@...r.kernel.org,
        Ingo Franzki <ifranzki@...ux.ibm.com>,
        Christoph Schlameuss <schlameuss@...ux.ibm.com>,
        Claudio Imbrenda <imbrenda@...ux.ibm.com>, borntraeger@...ux.ibm.com
Subject: Re: [PATCH v3] s390/uvdevice: Support longer secret lists

On 11/6/24 9:10 AM, Heiko Carstens wrote:
> On Mon, Nov 04, 2024 at 04:36:09PM +0100, Steffen Eiden wrote:
>> Enable the list IOCTL to provide lists longer than one page (85 entries).
>> The list IOCTL now accepts any argument length in page granularity.
>> It fills the argument up to this length with entries until the list
>> ends. User space unaware of this enhancement will still receive one page
>> of data and an uv_rc 0x0100.
>>
>> Signed-off-by: Steffen Eiden <seiden@...ux.ibm.com>
>> ---
>>   v3: remove upper boundary (8 pages) for arg len
> 
> ...
> 
>> +static int uvio_get_list(void *zpage, struct uvio_ioctl_cb *uv_ioctl)
>> +{
>> +	const size_t data_off = offsetof(struct uv_secret_list, secrets);
>> +	u8 __user *user_buf = (u8 __user *)uv_ioctl->argument_addr;
>> +	struct uv_secret_list *list = zpage;
>> +	u16 num_secrets_stored = 0;
>> +	size_t user_off = data_off;
>> +	size_t copy_len;
>> +
>> +	do {
>> +		uv_list_secrets(list, list->next_secret_idx, &uv_ioctl->uv_rc,
>> +				&uv_ioctl->uv_rrc);
>> +		if (uv_ioctl->uv_rc != UVC_RC_EXECUTED &&
>> +		    uv_ioctl->uv_rc != UVC_RC_MORE_DATA)
>> +			break;
>> +
>> +		copy_len = sizeof(list->secrets[0]) * list->num_secr_stored;
>> +		WARN_ON(copy_len > sizeof(list->secrets));
> 
> Is this really possible? Without checking the documentation I guess
> this is not possible and therefore the WARN_ON() should be removed.
> 

This happening requires a FW error, no?
list->num_secr_stored is reported by FW and would need to be >85.

We could clamp it down to 85 secrets / 4k - sizeof(header) with a 
WARN_ON_ONCE() to catch FW problems if that suits you more.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ