lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJHc60yMgzQL9VT-K4GuDa7ZAYfNBi3Az3nnZTgd+RLYW+3iTg@mail.gmail.com>
Date: Thu, 30 Oct 2025 12:07:10 -0700
From: Raghavendra Rao Ananta <rananta@...gle.com>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: Alex Williamson <alex.williamson@...hat.com>, David Matlack <dmatlack@...gle.com>, 
	Josh Hilke <jrhilke@...gle.com>, kvm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd()

On Thu, Oct 30, 2025 at 11:31 AM Jason Gunthorpe <jgg@...pe.ca> wrote:
>
> On Thu, Oct 30, 2025 at 05:12:38PM +0000, Raghavendra Rao Ananta wrote:
> > For the cases where user includes a non-zero value in 'token_uuid_ptr'
> > field of 'struct vfio_device_bind_iommufd', the copy_struct_from_user()
> > in vfio_df_ioctl_bind_iommufd() fails with -E2BIG. For the 'minsz' passed,
> > copy_struct_from_user() expects the newly introduced field to be zero-ed,
> > which would be incorrect in this case.
> >
> > Fix this by passing the actual size of the kernel struct. If working
> > with a newer userspace, copy_struct_from_user() would copy the
> > 'token_uuid_ptr' field, and if working with an old userspace, it would
> > zero out this field, thus still retaining backward compatibility.
> >
> > Fixes: 86624ba3b522 ("vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD")
> > Signed-off-by: Raghavendra Rao Ananta <rananta@...gle.com>
> > ---
> >  drivers/vfio/device_cdev.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> Cc: stable@...r.kernel.org
> Reviewed-by: Jason Gunthorpe <jgg@...dia.com>
>
> Though I feel this was copied from some other spot in vfio so I wonder
> if we have a larger set of things that are a little off..
>
I could only find vfio_df_ioctl_bind_iommufd() in vfio referencing
copy_struct_from_user(). The other closest would be in
drivers/iommu/iommufd/main.c::iommufd_fops_ioctl(), which seems to be
doing the right thing.

Thank you.
Raghavendra

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ