| Message ID | 20230119135721.83345-4-alexander.shishkin@linux.intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp479986wrn;
Thu, 19 Jan 2023 10:29:40 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXvKdRnZkBc2APoas746Va+D1P9ctTCJVRvl5oEOWJHMq8uLgmz7LOGW7ilkQqU8zbrS7Gt7
X-Received: by 2002:a17:90a:b107:b0:219:dc24:7595 with SMTP id
z7-20020a17090ab10700b00219dc247595mr12215946pjq.19.1674152979929;
Thu, 19 Jan 2023 10:29:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674152979; cv=none;
d=google.com; s=arc-20160816;
b=msmBvjBkhBsO/RrQM2h+6gaipjHLBfOLceC4skMSDN8SD+EQZBnqz0DVRhxIyIjVpL
+Q2AjqxQFQsiHVA8VK5uvOQqhzTYhecsnEL1CaWiqo0vnjwKKTFWtQcIP1d3kfWLHjNE
8NA/a2qWaZ6hSUuWZasJjbJZcBDKSzwL+58Karc5begE5s8nhIrX9OCRzWQrmHRp2+OU
eUXX1rD7l552RfwMl+ft8k7yGVAKhACnPzctFon/yK9gxF60DYXK4PvoKazHg/+UxEb/
u1MOjeQhuDYeCK+37rzbpaOD3kGtfcg3ENn/ESCVtJdzzz4rHnw26KuFWGMgI9/W/0gw
x54w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=Z5uJA+4443z9Jl492T7hP3sMjNOK1X754DUyK8po9xc=;
b=JigvRt4hglxp4DDrMwy+ndczYDUz9cJFH9JtgpC25UXPflnpITI4U41CbdK5SfFVtW
nKbX0YJ0hYfvd6fH1Uj+IAtxJAkVKK4PVX7nXCDAyh4QlFuplRrqYg0NV61Qs+lAwfyz
S+5JcT7cqR08W2r31tr669w9N+dxEQG7PIyhYJLryUbUyQSgsNXDE6uWw0AXw4o14yOx
+DAZEsBMQHnhgloFpzpyHisKMBBuzg2RyXmJXTI8/RtoYl7eNxQwTOCTRRx1Nda3noW/
Lp6j1unRY0cZg2RrigmDJ0BqNaDsj5ED3oT9ZYh0VYoaKl6NNls2Qt7pFQslTtFPR90+
Qraw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@intel.com header.s=Intel header.b=OwSUSMQi;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
pa17-20020a17090b265100b00225f793ab32si5424627pjb.156.2023.01.19.10.29.24;
Thu, 19 Jan 2023 10:29:39 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=fail header.i=@intel.com header.s=Intel header.b=OwSUSMQi;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230063AbjASSRA (ORCPT <rfc822;pfffrao@gmail.com> + 99 others);
Thu, 19 Jan 2023 13:17:00 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43302 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229895AbjASSQ5 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 19 Jan 2023 13:16:57 -0500
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0A954A1F3
for <linux-kernel@vger.kernel.org>;
Thu, 19 Jan 2023 10:16:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1674152216; x=1705688216;
h=resent-from:resent-date:resent-message-id:resent-to:from:
to:cc:subject:date:message-id:in-reply-to:references:
mime-version:content-transfer-encoding;
bh=fPAfZ1maazfHk0jrppfuINceGDxLy9M8OHmBMIa7oqg=;
b=OwSUSMQiGbZ1OvPiqB/irTMmCZZktz/3IQNc8jHTgzPw3RqUFMVza5WP
h7+O57pNNA5rRoF4oGYmuGVDwrsAoTD55x0hw4bILyyMyzmWO7VQnpjOc
42ms7NlJ6AJoObf54cvStrV8A84QA8nIPQwWoRTEYyAULeslkE33WkBuc
WkgR6g2cR5e6Z5QEfS8l+gQQYDzJB8S5ba2pxOKcg5NW1a2rozxn2BKu7
tiYEnqtuaXPh74VbRfzFc+Sz2Tq9FD7JrUzSyR3GrTKQfx3J+BDWD/gAy
5pX5XFHlhQ42TvCcct9ztW1vp4cV79kqA+BpypzLLpbh6FGukft4KK6NC
w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="305045763"
X-IronPort-AV: E=Sophos;i="5.97,229,1669104000";
d="scan'208";a="305045763"
Received: from orsmga002.jf.intel.com ([10.7.209.21])
by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
19 Jan 2023 10:16:56 -0800
X-ExtLoopCount2: 2 from 10.237.72.184
X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="660295636"
X-IronPort-AV: E=Sophos;i="5.97,229,1669104000";
d="scan'208";a="660295636"
Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184])
by orsmga002.jf.intel.com with ESMTP; 19 Jan 2023 10:16:55 -0800
Received: from ash by ubik with local (Exim 4.96)
(envelope-from <alexander.shishkin@intel.com>)
id 1pIZSm-00EPOo-1O
for linux-kernel@vger.kernel.org;
Thu, 19 Jan 2023 20:16:36 +0200
X-Original-To: alexander.shishkin@linux.intel.com
Received: from linux.intel.com [10.54.29.200]
by ubik.fi.intel.com with IMAP (fetchmail-6.4.29)
for <ash@localhost> (single-drop);
Thu, 19 Jan 2023 15:59:05 +0200 (EET)
Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by linux.intel.com (Postfix) with ESMTPS id B8D5F580AE0;
Thu, 19 Jan 2023 05:57:12 -0800 (PST)
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993922"
X-IronPort-AV: E=Sophos;i="5.97,229,1669104000";
d="scan'208";a="988993922"
Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28])
by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:09 -0800
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
To: mst@redhat.com, jasowang@redhat.com
Cc: virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, elena.reshetova@intel.com,
kirill.shutemov@linux.intel.com, Andi Kleen <ak@linux.intel.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Christian Schoenebeck <linux_oss@crudebyte.com>,
Eric Van Hensbergen <ericvh@gmail.com>,
Latchesar Ionkov <lucho@ionkov.net>,
Dominique Martinet <asmadeus@codewreck.org>,
v9fs-developer@lists.sourceforge.net
Subject: [PATCH v1 3/6] virtio 9p: Fix an overflow
Date: Thu, 19 Jan 2023 15:57:18 +0200
Message-Id: <20230119135721.83345-4-alexander.shishkin@linux.intel.com>
X-Mailer: git-send-email 2.39.0
In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com>
References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,
SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1755476634687931836?=
X-GMAIL-MSGID: =?utf-8?q?1755476634687931836?=
|
| Series |
Harden a few virtio bits
|
|
Commit Message
Alexander Shishkin
Jan. 19, 2023, 1:57 p.m. UTC
From: Andi Kleen <ak@linux.intel.com> tag_len is read as a u16 from the untrusted host. It could overflow in the memory allocation, which would lead to a too small buffer. Some later loops use it when extended to 32bit, so they could overflow the too small buffer. Make sure to do the arithmetic for the buffer size in 32bit to avoid wrapping. Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com> Cc: Eric Van Hensbergen <ericvh@gmail.com> Cc: Latchesar Ionkov <lucho@ionkov.net> Cc: Dominique Martinet <asmadeus@codewreck.org> Cc: v9fs-developer@lists.sourceforge.net --- net/9p/trans_virtio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Thu, Jan 19, 2023 at 03:57:18PM +0200, Alexander Shishkin wrote: > From: Andi Kleen <ak@linux.intel.com> > > tag_len is read as a u16 from the untrusted host. It could overflow > in the memory allocation, which would lead to a too small buffer. > > Some later loops use it when extended to 32bit, so they could overflow > the too small buffer. > > Make sure to do the arithmetic for the buffer size in 32bit to avoid > wrapping. > > Signed-off-by: Andi Kleen <ak@linux.intel.com> > Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> > Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com> > Cc: Eric Van Hensbergen <ericvh@gmail.com> > Cc: Latchesar Ionkov <lucho@ionkov.net> > Cc: Dominique Martinet <asmadeus@codewreck.org> > Cc: v9fs-developer@lists.sourceforge.net > --- > net/9p/trans_virtio.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c > index 3c27ffb781e3..a78e4d80e5ba 100644 > --- a/net/9p/trans_virtio.c > +++ b/net/9p/trans_virtio.c > @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev) > err = -EINVAL; > goto out_free_vq; > } > - tag = kzalloc(tag_len + 1, GFP_KERNEL); > + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL); > if (!tag) { > err = -ENOMEM; > goto out_free_vq; Hmm are you sure there's a difference in behaviour? I thought C will just extend the integer to int. > -- > 2.39.0
"Michael S. Tsirkin" <mst@redhat.com> writes: > On Thu, Jan 19, 2023 at 03:57:18PM +0200, Alexander Shishkin wrote: >> From: Andi Kleen <ak@linux.intel.com> >> >> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c >> index 3c27ffb781e3..a78e4d80e5ba 100644 >> --- a/net/9p/trans_virtio.c >> +++ b/net/9p/trans_virtio.c >> @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev) >> err = -EINVAL; >> goto out_free_vq; >> } >> - tag = kzalloc(tag_len + 1, GFP_KERNEL); >> + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL); >> if (!tag) { >> err = -ENOMEM; >> goto out_free_vq; > > Hmm are you sure there's a difference in behaviour? I thought C will just > extend the integer to int. Actually, you're right, integer promotion would extend the original expression to int. I'll drop this patch also. Thanks, -- Alex
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 3c27ffb781e3..a78e4d80e5ba 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev) err = -EINVAL; goto out_free_vq; } - tag = kzalloc(tag_len + 1, GFP_KERNEL); + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL); if (!tag) { err = -ENOMEM; goto out_free_vq;