[PATCH AUTOSEL 6.1 06/31] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>,
	syzkaller <syzkaller@googlegroups.com>,
	Vegard Nossum <vegard.nossum@oracle.com>,
	"Gustavo A . R . Silva" <gustavoars@kernel.org>,
	Kees Cook <keescook@chromium.org>,
	Dan Carpenter <dan.carpenter@linaro.org>,
	Sasha Levin <sashal@kernel.org>,
	bryantan@vmware.com, vdasa@vmware.com,
	gregkh@linuxfoundation.org
Subject: [PATCH AUTOSEL 6.1 06/31] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
Date: Fri, 29 Mar 2024 08:31:25 -0400	[thread overview]
Message-ID: <20240329123207.3085013-6-sashal@kernel.org> (raw)
In-Reply-To: <20240329123207.3085013-1-sashal@kernel.org>

From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

[ Upstream commit 19b070fefd0d024af3daa7329cbc0d00de5302ec ]

Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.

memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

Some code commentry, based on my understanding:

544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size

memcpy(&dg_info->msg, dg, dg_size);
	Destination = dg_info->msg ---> this is a 24 byte
					structure(struct vmci_datagram)
	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
	Size = dg_size = 24 + payload_size

{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.

 35 struct delayed_datagram_info {
 36         struct datagram_entry *entry;
 37         struct work_struct work;
 38         bool in_dg_host_queue;
 39         /* msg and msg_payload must be together. */
 40         struct vmci_datagram msg;
 41         u8 msg_payload[];
 42 };

So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.

One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.

Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."

Reported-by: syzkaller <syzkaller@googlegroups.com>
Suggested-by: Vegard Nossum <vegard.nossum@oracle.com>
Suggested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c
index f50d22882476f..d1d8224c8800c 100644
--- a/drivers/misc/vmw_vmci/vmci_datagram.c
+++ b/drivers/misc/vmw_vmci/vmci_datagram.c
@@ -234,7 +234,8 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg)
 
 			dg_info->in_dg_host_queue = true;
 			dg_info->entry = dst_entry;
-			memcpy(&dg_info->msg, dg, dg_size);
+			dg_info->msg = *dg;
+			memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size);
 
 			INIT_WORK(&dg_info->work, dg_delayed_dispatch);
 			schedule_work(&dg_info->work);
-- 
2.43.0

next prev parent reply	other threads:[~2024-03-29 12:32 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-29 12:31 [PATCH AUTOSEL 6.1 01/31] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 02/31] bnx2x: Fix firmware version string character counts Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 03/31] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 04/31] batman-adv: Improve exception handling in batadv_throw_uevent() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 05/31] wifi: rtw89: pci: enlarge RX DMA buffer to consider size of RX descriptor Sasha Levin
2024-03-29 12:31 ` Sasha Levin [this message]
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 07/31] wifi: iwlwifi: pcie: Add the PCI device id for new hardware Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 08/31] panic: Flush kernel log buffer at the end Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 09/31] cpuidle: Avoid potential overflow in integer multiplication Sasha Levin
2024-03-29 12:31   ` Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 10/31] arm64: dts: rockchip: fix rk3328 hdmi ports node Sasha Levin
2024-03-29 12:31   ` Sasha Levin
2024-03-29 12:31   ` Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 11/31] arm64: dts: rockchip: fix rk3399 " Sasha Levin
2024-03-29 12:31   ` Sasha Levin
2024-03-29 12:31   ` Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 12/31] ionic: set adminq irq affinity Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 13/31] net: skbuff: add overflow debug check to pull/push helpers Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 14/31] firmware: tegra: bpmp: Return directly after a failed kzalloc() in get_filename() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 15/31] wifi: brcmfmac: Add DMI nvram filename quirk for ACEPC W5 Pro Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 16/31] pstore/zone: Add a null pointer check to the psz_kmsg_read Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 17/31] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 18/31] net: pcs: xpcs: Return EINVAL in the internal methods Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 19/31] dma-direct: Leak pages on dma_set_decrypted() failure Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 20/31] wifi: ath11k: decrease MHI channel buffer length to 8KB Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 21/31] sparc: vdso: Disable UBSAN instrumentation Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 22/31] cpufreq: Don't unregister cpufreq cooling on CPU hotplug Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 23/31] sh: Fix build with CONFIG_UBSAN=y Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 24/31] btrfs: preallocate temporary extent buffer for inode logging when needed Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 25/31] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 26/31] btrfs: export: handle invalid inode or root reference in btrfs_get_parent() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 27/31] btrfs: send: handle path ref underflow in header iterate_inode_ref() Sasha Levin
2024-03-29 12:31 ` [Intel-wired-lan] [PATCH AUTOSEL 6.1 28/31] ice: use relative VSI index for VFs instead of PF VSI number Sasha Levin
2024-03-29 12:31   ` Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 29/31] net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 30/31] Bluetooth: btintel: Fix null ptr deref in btintel_read_version Sasha Levin
2024-03-29 12:31 ` [PATCH AUTOSEL 6.1 31/31] Bluetooth: btmtk: Add MODULE_FIRMWARE() for MT7922 Sasha Levin
2024-03-29 12:31   ` Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f50d22882476 dfblob:d1d8224c8800 )
 OR (
bs:"[PATCH AUTOSEL 6.1 06/31] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240329123207.3085013-6-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=bryantan@vmware.com \
    --cc=dan.carpenter@linaro.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=gustavoars@kernel.org \
    --cc=harshit.m.mogalapalli@oracle.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=vdasa@vmware.com \
    --cc=vegard.nossum@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.