Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once"

From: Al Viro
Date: Wed Apr 21 2021 - 21:16:03 EST

Next message: Peter Xu: "Re: [PATCH 00/23] userfaultfd-wp: Support shmem and hugetlbfs"
Previous message: Peter Xu: "Re: [PATCH 16/23] hugetlb/userfaultfd: Take care of UFFDIO_COPY_MODE_WP"
In reply to: Tavis Ormandy: "Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once""
Next in thread: Hans de Goede: "Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 21, 2021 at 03:14:29PM -0000, Tavis Ormandy wrote:
> On 2021-04-21, Greg Kroah-Hartman wrote:
> > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba.
> >
> > - *((struct vbg_ioctl_hdr *)buf) = hdr;
> > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
> > - hdr.size_in - sizeof(hdr))) {
> > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
> > ret = -EFAULT;
> > goto out;
> > }
>
> This one seems like a real bugfix, otherwise there's a double-fetch from
> userspace, and a TOCTOU with the hdr fields that could cause a OOB read.

ACK, except that typecasts in there are messy as hell. But that's,
alas, consistent with the rest of the function...

Patch itself is correct, and AFAICS Wenwen Wang <wang6495@xxxxxxx>
might be an innocent collateral damage from that mess - commits from that
source appear to be fairly well-written.

Next message: Peter Xu: "Re: [PATCH 00/23] userfaultfd-wp: Support shmem and hugetlbfs"
Previous message: Peter Xu: "Re: [PATCH 16/23] hugetlb/userfaultfd: Take care of UFFDIO_COPY_MODE_WP"
In reply to: Tavis Ormandy: "Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once""
Next in thread: Hans de Goede: "Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]