lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANdh5G6cyMoSjujJcGgJ0G4FrHBBc6uvHr13D09P7c-oODTf5w@mail.gmail.com>
Date: Fri, 22 Nov 2024 16:08:53 -0600
From: Zichen Xie <zichenxie0106@...il.com>
To: bp@...en8.de, thomas.lendacky@....com, nikunj@....com, 
	u.kleine-koenig@...gutronix.de, sathyanarayanan.kuppuswamy@...ux.intel.com, 
	michael.roth@....com
Cc: linux-kernel@...r.kernel.org, Chenyuan Yang <chenyuan0y@...il.com>, 
	Zijie Zhao <zzjas98@...il.com>
Subject: Question about a problem caused by copy_from_sockptr() in get_ext_report()

Dear developers,

I'm curious about whether the function `get_ext_report` might have a
security issue.

The function is
https://elixir.bootlin.com/linux/v6.12/source/drivers/virt/coco/sev-guest/sev-guest.c#L577,
and the relevant code is:
```
if (copy_from_sockptr(report_req, io->req_data, sizeof(*report_req)))
return -EFAULT;
```

Here copy_from_sockptr() is called without checking the length of
io->req_data. If the remaining length of io->req_data is less than
sizeof(*report_req), the copy should be illegal.
So, I think a prehand check could be useful.

Please kindly correct me if I missed any key information. Looking
forward to your response!

Best,
Zichen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ