Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once"

From: Greg KH
Date: Mon Apr 26 2021 - 13:10:08 EST

Next message: Florian Fainelli: "Re: [PATCH 5.4 00/20] 5.4.115-rc1 review"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 000/190] Revertion of all of the umn.edu commits"
In reply to: Hans de Goede: "Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 22, 2021 at 01:16:01AM +0000, Al Viro wrote:
> On Wed, Apr 21, 2021 at 03:14:29PM -0000, Tavis Ormandy wrote:
> > On 2021-04-21, Greg Kroah-Hartman wrote:
> > > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba.
> > >
> > > - *((struct vbg_ioctl_hdr *)buf) = hdr;
> > > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
> > > - hdr.size_in - sizeof(hdr))) {
> > > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
> > > ret = -EFAULT;
> > > goto out;
> > > }
> >
> > This one seems like a real bugfix, otherwise there's a double-fetch from
> > userspace, and a TOCTOU with the hdr fields that could cause a OOB read.
>
> ACK, except that typecasts in there are messy as hell. But that's,
> alas, consistent with the rest of the function...
>
> Patch itself is correct, and AFAICS Wenwen Wang <wang6495@xxxxxxx>
> might be an innocent collateral damage from that mess - commits from that
> source appear to be fairly well-written.

I've dropped it from my tree now, thanks for the review.

greg k-h

Next message: Florian Fainelli: "Re: [PATCH 5.4 00/20] 5.4.115-rc1 review"
Previous message: Greg Kroah-Hartman: "Re: [PATCH 000/190] Revertion of all of the umn.edu commits"
In reply to: Hans de Goede: "Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]