From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 79350C44507 for ; Mon, 13 Jul 2026 14:36:36 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wjHlG-0008AG-1Z; Mon, 13 Jul 2026 10:35:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wjHl1-00088L-U7 for qemu-devel@nongnu.org; Mon, 13 Jul 2026 10:35:46 -0400 Received: from sea.source.kernel.org ([172.234.252.31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wjHkx-0001u7-UG for qemu-devel@nongnu.org; Mon, 13 Jul 2026 10:35:43 -0400 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by sea.source.kernel.org (Postfix) with ESMTP id 4981F40107; Mon, 13 Jul 2026 14:35:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CB7F31F000E9; Mon, 13 Jul 2026 14:35:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1783953338; bh=YRwJLocGlcoYlaaTPE4IjhqLICavZEbrDlqYevfC/QY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=e6NkguFZ0aktHnjn4uJOAUCErDLy+AdH0yHaaX81yZFdk1aIYq8rOHThE97TXUKfS D/9i12Itoy3BF5l3EwzAv2Hd73liTMT0rCfmM90FZWi8IfCV3laBRwVBdoiAV8GT4O JiOsLpF7Tfp+EvlYGOaAnkuBMwfqCCHKQ+AhV1KNpkJQ328bLdj2vUaJi9cXLT77RB 0mZnkbXDLzQs1i9YcSWrwVQSTDDNpQoRujiuoP0XnIr5kV9yUWkCVSLzmlgSK6cDW0 N2bNopRytKPM+aVDU6f3/9jv0X0Y9mLvF3E+LZjbQy7/T8gCaMn6Q8CaVj+PE8m3Sh 9c4YTyz74EtdA== From: Helge Deller To: Stefan Hajnoczi , qemu-devel@nongnu.org Cc: Laurent Vivier , Pierrick Bouvier , Helge Deller , Peter Maydell Subject: [PULL 1/2] linux-user: Validate guest-passed dm_ioctl data_size Date: Mon, 13 Jul 2026 16:35:30 +0200 Message-ID: <20260713143533.4641-2-deller@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260713143533.4641-1-deller@kernel.org> References: <20260713143533.4641-1-deller@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=172.234.252.31; envelope-from=deller@kernel.org; helo=sea.source.kernel.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Peter Maydell In do_ioctl_dm() we work with a struct dm_ioctl from the guest. This has a fixed initial part, and then a variable data part; the guest tells us how long that part is by setting the data_size field. The data_size is supposed to include the length of the fixed parts of the struct dm_ioctl. Currently we don't validate anything about the guest-provided data_size, and we use it to allocate a buffer which we then copy the fixed part of the dm_ioctl struct into. This means that if the guest passes a very small data_size the copy of the fixed part will overrun the buffer. Perform the same sanitizing of the minimum and maximum limits of the data_size that the kernel does in drivers/md/dm-ioctl.c in the copy_params() function. Cc: qemu-stable@nongnu.org Fixes: 56e904ecb2018 ("linux-user: implement device mapper ioctls") Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3736 Signed-off-by: Peter Maydell Reviewed-by: Helge Deller Signed-off-by: Helge Deller --- linux-user/syscall.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index d257fb9ca9..3f060ee8b6 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -5088,6 +5088,9 @@ do_ioctl_usbdevfs_submiturb(const IOCTLEntry *ie, uint8_t *buf_temp, } #endif /* CONFIG_USBFS */ +#define DM_MAX_TARGETS 1048576 +#define DM_MAX_TARGET_PARAMS 1024 + static abi_long do_ioctl_dm(const IOCTLEntry *ie, uint8_t *buf_temp, int fd, int cmd, abi_long arg) { @@ -5100,6 +5103,7 @@ static abi_long do_ioctl_dm(const IOCTLEntry *ie, uint8_t *buf_temp, int fd, abi_long ret; void *big_buf = NULL; char *host_data; + const size_t minimum_data_size = offsetof(struct dm_ioctl, data); arg_type++; target_size = thunk_type_size(arg_type, 0); @@ -5111,9 +5115,26 @@ static abi_long do_ioctl_dm(const IOCTLEntry *ie, uint8_t *buf_temp, int fd, thunk_convert(buf_temp, argptr, arg_type, THUNK_HOST); unlock_user(argptr, arg, 0); - /* buf_temp is too small, so fetch things into a bigger buffer */ - big_buf = g_malloc0(((struct dm_ioctl*)buf_temp)->data_size * 2); - memcpy(big_buf, buf_temp, target_size); + /* At this point this includes the size of the fixed dm_ioctl parts */ + guest_data_size = ((struct dm_ioctl *)buf_temp)->data_size; + + if (guest_data_size < minimum_data_size || + guest_data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS) { + ret = -TARGET_EINVAL; + goto out; + } + + /* + * buf_temp is too small, so fetch things into a bigger buffer. Here + * we copy all of the fixed parts of struct dm_ioctl but not the + * data at the end (which in the struct is "char data[7]" but in + * reality is command-specific and might be nothing or might be + * much larger, as defined by data_size). We know struct dm_ioctl's + * size is not target specific so we don't need to distinguish between + * its minimum size for the host vs the target. + */ + big_buf = g_malloc0(guest_data_size * 2); + memcpy(big_buf, buf_temp, minimum_data_size); buf_temp = big_buf; host_dm = big_buf; @@ -5122,7 +5143,8 @@ static abi_long do_ioctl_dm(const IOCTLEntry *ie, uint8_t *buf_temp, int fd, ret = -TARGET_EINVAL; goto out; } - guest_data_size = host_dm->data_size - host_dm->data_start; + /* Adjust down to only the size of the payload */ + guest_data_size -= host_dm->data_start; host_data = (char*)host_dm + host_dm->data_start; argptr = lock_user(VERIFY_READ, guest_data, guest_data_size, 1); -- 2.54.0