[PATCH] vduse: fix memory corruption in vduse_dev_ioctl()

[PATCH] vduse: fix memory corruption in vduse_dev_ioctl()

[Dan Carpenter]

The "config.offset" comes from the user.  There needs to a check to
prevent it being out of bounds.  The "config.offset" and
"dev->config_size" variables are both type u32.  So if the offset if
out of bounds then the "dev->config_size - config.offset" subtraction
results in a very high u32 value.

Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index c9204c62f339..2f789dca0c0b 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd,
 			break;
 
 		ret = -EINVAL;
-		if (config.length == 0 ||
+		if (config.offset < dev->config_size ||
+		    config.length == 0 ||
 		    config.length > dev->config_size - config.offset)
 			break;
 
-- 
2.20.1

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

Re: [PATCH] vduse: fix memory corruption in vduse_dev_ioctl()

[Dan Carpenter]

On Tue, Dec 07, 2021 at 01:46:14PM +0300, Dan Carpenter wrote:
> The "config.offset" comes from the user.  There needs to a check to
> prevent it being out of bounds.  The "config.offset" and
> "dev->config_size" variables are both type u32.  So if the offset if
> out of bounds then the "dev->config_size - config.offset" subtraction
> results in a very high u32 value.
> 
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
> index c9204c62f339..2f789dca0c0b 100644
> --- a/drivers/vdpa/vdpa_user/vduse_dev.c
> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
> @@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd,
>  			break;
>  
>  		ret = -EINVAL;
> -		if (config.length == 0 ||
> +		if (config.offset < dev->config_size ||

This is reversed.  Sorry.  Will send a fix.  I was over excited about
this patch.

Also I need to write a Smatch test for this so both the original and my
patched version generate a warning.

regards,
dan carpenter

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

Re: [PATCH] vduse: fix memory corruption in vduse_dev_ioctl()

[Dan Carpenter]

On Tue, Dec 07, 2021 at 07:19:35PM +0800, Yongji Xie wrote:
> On Tue, Dec 7, 2021 at 6:46 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >
> > The "config.offset" comes from the user.  There needs to a check to
> > prevent it being out of bounds.  The "config.offset" and
> > "dev->config_size" variables are both type u32.  So if the offset if
> > out of bounds then the "dev->config_size - config.offset" subtraction
> > results in a very high u32 value.
> >
> 
> Thanks for catching this! I think we also need a fix for
> vhost_vdpa_config_validate().

Okay.  I just sent v2.  I'll send a v3.  vhost_vdpa_config_validate()
uses long type for "size" so the subtract works okay on a 64bit system.

regards,
dan carpenter

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization