* [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl()
@ 2021-12-08 10:33 Dan Carpenter
2021-12-08 10:33 ` [PATCH 2/2 v4] vdpa: check that offsets are within bounds Dan Carpenter
2021-12-09 2:12 ` [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Jason Wang
0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2021-12-08 10:33 UTC (permalink / raw)
To: Michael S. Tsirkin, Xie Yongji; +Cc: kernel-janitors, Eli Cohen, virtualization
The "config.offset" comes from the user. There needs to a check to
prevent it being out of bounds. The "config.offset" and
"dev->config_size" variables are both type u32. So if the offset if
out of bounds then the "dev->config_size - config.offset" subtraction
results in a very high u32 value. The out of bounds offset can result
in memory corruption.
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: fix reversed if statement
v3: fix vhost_vdpa_config_validate() as pointed out by Yongji Xie.
v4: split the vhost_vdpa_config_validate() change into a separate path
drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index c9204c62f339..1a206f95d73a 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd,
break;
ret = -EINVAL;
- if (config.length == 0 ||
+ if (config.offset > dev->config_size ||
+ config.length == 0 ||
config.length > dev->config_size - config.offset)
break;
--
2.20.1
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2 v4] vdpa: check that offsets are within bounds
2021-12-08 10:33 [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Dan Carpenter
@ 2021-12-08 10:33 ` Dan Carpenter
2021-12-09 2:12 ` Jason Wang
2021-12-09 2:12 ` [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Jason Wang
1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2021-12-08 10:33 UTC (permalink / raw)
To: Michael S. Tsirkin, Tiwei Bie, Xie Yongji
Cc: Eugenio Pérez, kernel-janitors, kvm, virtualization
In this function "c->off" is a u32 and "size" is a long. On 64bit systems
if "c->off" is greater than "size" then "size - c->off" is a negative and
we always return -E2BIG. But on 32bit systems the subtraction is type
promoted to a high positive u32 value and basically any "c->len" is
accepted.
Fixes: 4c8cf31885f6 ("vhost: introduce vDPA-based backend")
Reported-by: Xie Yongji <xieyongji@bytedance.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v4: split into a separate patch
drivers/vhost/vdpa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
index 29cced1cd277..e3c4f059b21a 100644
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -197,7 +197,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v,
struct vdpa_device *vdpa = v->vdpa;
long size = vdpa->config->get_config_size(vdpa);
- if (c->len == 0)
+ if (c->len == 0 || c->off > size)
return -EINVAL;
if (c->len > size - c->off)
--
2.20.1
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl()
2021-12-08 10:33 [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Dan Carpenter
2021-12-08 10:33 ` [PATCH 2/2 v4] vdpa: check that offsets are within bounds Dan Carpenter
@ 2021-12-09 2:12 ` Jason Wang
1 sibling, 0 replies; 4+ messages in thread
From: Jason Wang @ 2021-12-09 2:12 UTC (permalink / raw)
To: Dan Carpenter
Cc: Michael S. Tsirkin, kernel-janitors, virtualization, Xie Yongji,
Eli Cohen
On Wed, Dec 8, 2021 at 6:33 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> The "config.offset" comes from the user. There needs to a check to
> prevent it being out of bounds. The "config.offset" and
> "dev->config_size" variables are both type u32. So if the offset if
> out of bounds then the "dev->config_size - config.offset" subtraction
> results in a very high u32 value. The out of bounds offset can result
> in memory corruption.
>
> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: fix reversed if statement
> v3: fix vhost_vdpa_config_validate() as pointed out by Yongji Xie.
> v4: split the vhost_vdpa_config_validate() change into a separate path
Acked-by: Jason Wang <jasowang@redhat.com>
>
> drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
> index c9204c62f339..1a206f95d73a 100644
> --- a/drivers/vdpa/vdpa_user/vduse_dev.c
> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c
> @@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd,
> break;
>
> ret = -EINVAL;
> - if (config.length == 0 ||
> + if (config.offset > dev->config_size ||
> + config.length == 0 ||
> config.length > dev->config_size - config.offset)
> break;
>
> --
> 2.20.1
>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2 v4] vdpa: check that offsets are within bounds
2021-12-08 10:33 ` [PATCH 2/2 v4] vdpa: check that offsets are within bounds Dan Carpenter
@ 2021-12-09 2:12 ` Jason Wang
0 siblings, 0 replies; 4+ messages in thread
From: Jason Wang @ 2021-12-09 2:12 UTC (permalink / raw)
To: Dan Carpenter
Cc: Tiwei Bie, kvm, Eugenio Pérez, Michael S. Tsirkin,
kernel-janitors, virtualization, Xie Yongji
On Wed, Dec 8, 2021 at 6:34 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> In this function "c->off" is a u32 and "size" is a long. On 64bit systems
> if "c->off" is greater than "size" then "size - c->off" is a negative and
> we always return -E2BIG. But on 32bit systems the subtraction is type
> promoted to a high positive u32 value and basically any "c->len" is
> accepted.
>
> Fixes: 4c8cf31885f6 ("vhost: introduce vDPA-based backend")
> Reported-by: Xie Yongji <xieyongji@bytedance.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jason Wang <jasowang@redhat.com>
> ---
> v4: split into a separate patch
>
> drivers/vhost/vdpa.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index 29cced1cd277..e3c4f059b21a 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -197,7 +197,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v,
> struct vdpa_device *vdpa = v->vdpa;
> long size = vdpa->config->get_config_size(vdpa);
>
> - if (c->len == 0)
> + if (c->len == 0 || c->off > size)
> return -EINVAL;
>
> if (c->len > size - c->off)
> --
> 2.20.1
>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-09 2:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-08 10:33 [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Dan Carpenter
2021-12-08 10:33 ` [PATCH 2/2 v4] vdpa: check that offsets are within bounds Dan Carpenter
2021-12-09 2:12 ` Jason Wang
2021-12-09 2:12 ` [PATCH 1/2 v4] vduse: fix memory corruption in vduse_dev_ioctl() Jason Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).