lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 23 Sep 2019 09:12:36 +0000
From:   "wangxu (AE)" <wangxu72@...wei.com>
To:     "Michael S. Tsirkin" <mst@...hat.com>
CC:     "jasowang@...hat.com" <jasowang@...hat.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "virtualization@...ts.linux-foundation.org" 
        <virtualization@...ts.linux-foundation.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] vhost: It's better to use size_t for the 3rd parameter
 of vhost_exceeds_weight()

Hi Michael

	Thanks for your fast reply.

	As the following code, the 2nd branch of iov_iter_advance() does not check if i->count < size, when this happens, i->count -= size may cause len exceed INT_MAX, and then total_len exceed INT_MAX.

	handle_tx_copy() ->
		get_tx_bufs(..., &len, ...) ->
			init_iov_iter() ->
				iov_iter_advance(iter, ...) 	// has 3 branches: 
					pipe_advance() 	 	// has checked the size: if (unlikely(i->count < size)) size = i->count;
					iov_iter_is_discard() ... 	// no check.
					iterate_and_advance() 	//has checked: if (unlikely(i->count < n)) n = i->count;
				return iov_iter_count(iter);

-----Original Message-----
From: Michael S. Tsirkin [mailto:mst@...hat.com] 
Sent: Monday, September 23, 2019 4:07 PM
To: wangxu (AE) <wangxu72@...wei.com>
Cc: jasowang@...hat.com; kvm@...r.kernel.org; virtualization@...ts.linux-foundation.org; netdev@...r.kernel.org; linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vhost: It's better to use size_t for the 3rd parameter of vhost_exceeds_weight()

On Mon, Sep 23, 2019 at 03:46:41PM +0800, wangxu wrote:
> From: Wang Xu <wangxu72@...wei.com>
> 
> Caller of vhost_exceeds_weight(..., total_len) in drivers/vhost/net.c 
> usually pass size_t total_len, which may be affected by rx/tx package.
> 
> Signed-off-by: Wang Xu <wangxu72@...wei.com>


Puts a bit more pressure on the register file ...
why do we care? Is there some way that it can exceed INT_MAX?

> ---
>  drivers/vhost/vhost.c | 4 ++--
>  drivers/vhost/vhost.h | 7 ++++---
>  2 files changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 
> 36ca2cf..159223a 100644
> --- a/drivers/vhost/vhost.c
> +++ b/drivers/vhost/vhost.c
> @@ -412,7 +412,7 @@ static void vhost_dev_free_iovecs(struct vhost_dev 
> *dev)  }
>  
>  bool vhost_exceeds_weight(struct vhost_virtqueue *vq,
> -			  int pkts, int total_len)
> +			  int pkts, size_t total_len)
>  {
>  	struct vhost_dev *dev = vq->dev;
>  
> @@ -454,7 +454,7 @@ static size_t vhost_get_desc_size(struct 
> vhost_virtqueue *vq,
>  
>  void vhost_dev_init(struct vhost_dev *dev,
>  		    struct vhost_virtqueue **vqs, int nvqs,
> -		    int iov_limit, int weight, int byte_weight)
> +		    int iov_limit, int weight, size_t byte_weight)
>  {
>  	struct vhost_virtqueue *vq;
>  	int i;
> diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h index 
> e9ed272..8d80389d 100644
> --- a/drivers/vhost/vhost.h
> +++ b/drivers/vhost/vhost.h
> @@ -172,12 +172,13 @@ struct vhost_dev {
>  	wait_queue_head_t wait;
>  	int iov_limit;
>  	int weight;
> -	int byte_weight;
> +	size_t byte_weight;
>  };
>  


This just costs extra memory, and value is never large, so I don't think this matters.

> -bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts, int 
> total_len);
> +bool vhost_exceeds_weight(struct vhost_virtqueue *vq, int pkts,
> +			  size_t total_len);
>  void vhost_dev_init(struct vhost_dev *, struct vhost_virtqueue **vqs,
> -		    int nvqs, int iov_limit, int weight, int byte_weight);
> +		    int nvqs, int iov_limit, int weight, size_t byte_weight);
>  long vhost_dev_set_owner(struct vhost_dev *dev);  bool 
> vhost_dev_has_owner(struct vhost_dev *dev);  long 
> vhost_dev_check_owner(struct vhost_dev *);
> --
> 1.8.5.6

Powered by blists - more mailing lists