From: Dan Carpenter <dan.carpenter@oracle.com>
To: KY Srinivasan <kys@microsoft.com>
Cc: "olaf@aepfle.de" <olaf@aepfle.de>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"jasowang@redhat.com" <jasowang@redhat.com>,
"dmitry.torokhov@gmail.com" <dmitry.torokhov@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"vojtech@suse.cz" <vojtech@suse.cz>,
"linux-input@vger.kernel.org" <linux-input@vger.kernel.org>,
"apw@canonical.com" <apw@canonical.com>,
"devel@linuxdriverproject.org" <devel@linuxdriverproject.org>
Subject: Re: [PATCH 1/1] Drivers: input: serio: New driver to support Hyper-V synthetic keyboard
Date: Mon, 16 Sep 2013 18:05:48 +0300 [thread overview]
Message-ID: <20130916150548.GO25896@mwanda> (raw)
In-Reply-To: <3b5096d0190b4440a8e25afbd22ab72d@SN2PR03MB061.namprd03.prod.outlook.com>
On Mon, Sep 16, 2013 at 02:46:24PM +0000, KY Srinivasan wrote:
> > > + case VM_PKT_DATA_INBAND:
> > > + hv_kbd_on_receive(device, desc);
> >
> > This is the error handling I mentioned at the top. hv_kbd_on_receive()
> > doesn't take into consideration the amount of data we recieved, it
> > trusts the offset we recieved from the user. There is an out of bounds
> > read.
>
> What user are you referring to. The message is sent by the host - the user keystroke
> is normalized into a fixed size packet by the host and sent to the guest. We will parse this
> packet, based on the host specified layout here.
>
The user means the hypervisor, yes.
I don't want the hypervisor accessing outside of the buffer. It is
robustness issue. Just check the offset against "bytes_recvd". It's
not complicated.
If you have a different place where the guest does this then tell me
which function to look at.
regards,
dan carpenter
next prev parent reply other threads:[~2013-09-16 15:05 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-16 5:28 [PATCH 1/1] Drivers: input: serio: New driver to support Hyper-V synthetic keyboard K. Y. Srinivasan
2013-09-16 8:21 ` Dan Carpenter
2013-09-16 8:21 ` Dan Carpenter
2013-09-16 14:46 ` KY Srinivasan
2013-09-16 14:46 ` KY Srinivasan
2013-09-16 15:05 ` Dan Carpenter [this message]
2013-09-16 16:56 ` KY Srinivasan
2013-09-16 17:09 ` Dmitry Torokhov
2013-09-16 18:29 ` KY Srinivasan
2013-09-16 18:33 ` Dan Carpenter
2013-09-16 18:42 ` KY Srinivasan
2013-09-16 18:42 ` KY Srinivasan
2013-09-16 20:13 ` Dan Carpenter
2013-09-16 21:55 ` KY Srinivasan
2013-09-16 22:13 ` Dan Carpenter
2013-09-16 22:16 ` Dmitry Torokhov
2013-09-16 15:20 ` Dmitry Torokhov
2013-09-16 15:20 ` Dmitry Torokhov
2013-09-16 15:52 ` KY Srinivasan
2013-09-16 17:13 ` Dmitry Torokhov
2013-09-16 17:13 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130916150548.GO25896@mwanda \
--to=dan.carpenter@oracle.com \
--cc=apw@canonical.com \
--cc=devel@linuxdriverproject.org \
--cc=dmitry.torokhov@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=kys@microsoft.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olaf@aepfle.de \
--cc=vojtech@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.