* Intel MIC host driver: possible signed underflow (undefined behavior) in userspace API
[not found] <1151498255.5788.1389332631491.JavaMail.zimbra@efficios.com>
@ 2014-01-10 5:56 ` Mathieu Desnoyers
2014-01-10 14:21 ` Greg Kroah-Hartman
0 siblings, 1 reply; 4+ messages in thread
From: Mathieu Desnoyers @ 2014-01-10 5:56 UTC (permalink / raw)
To: Ashutosh Dixit, Sudeep Dutt
Cc: Caz Yokoyama, Dasaratharaman Chandramouli, Nikhil Rao,
Harshavardhan R Kharche, Peter P Waskiewicz Jr,
Greg Kroah-Hartman, Linux Kernel Mailing List
Hi,
Looking at this commit:
commit f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5
Author: Ashutosh Dixit <ashutosh.dixit@intel.com>
Date: Thu Sep 5 16:42:18 2013 -0700
Intel MIC Host Driver Changes for Virtio Devices.
Especially at:
+struct mic_copy_desc {
+#ifdef __KERNEL__
+ struct iovec __user *iov;
+#else
+ struct iovec *iov;
+#endif
+ int iovcnt;
+ __u8 vr_idx;
+ __u8 update_used;
+ __u32 out_len;
+};
Seeing iovcnt being declared as a signed integer seems strange. The
first question would be: why is it signed rather than unsigned ?
Then, looking further into
drivers/misc/mic/host/mic_virtio.c:_mic_virtio_copy()
We can see that the while() loop iterates until the local variable
iovcnt reaches the value 0 (and iovcnt is also a signed integer). If
user-space passes e.g. INT_MIN as iovcnt field, this loop then appears
to depend on an undefined behavior (signed underflow) to complete.
Wouldn't it be better to use an unsigned integers both in the
userspace API and for the local variable ?
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Intel MIC host driver: possible signed underflow (undefined behavior) in userspace API
2014-01-10 5:56 ` Intel MIC host driver: possible signed underflow (undefined behavior) in userspace API Mathieu Desnoyers
@ 2014-01-10 14:21 ` Greg Kroah-Hartman
2014-01-10 18:22 ` Sudeep Dutt
0 siblings, 1 reply; 4+ messages in thread
From: Greg Kroah-Hartman @ 2014-01-10 14:21 UTC (permalink / raw)
To: Mathieu Desnoyers
Cc: Ashutosh Dixit, Sudeep Dutt, Caz Yokoyama,
Dasaratharaman Chandramouli, Nikhil Rao, Harshavardhan R Kharche,
Peter P Waskiewicz Jr, Linux Kernel Mailing List
On Fri, Jan 10, 2014 at 05:56:25AM +0000, Mathieu Desnoyers wrote:
> Hi,
>
> Looking at this commit:
>
> commit f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5
> Author: Ashutosh Dixit <ashutosh.dixit@intel.com>
> Date: Thu Sep 5 16:42:18 2013 -0700
>
> Intel MIC Host Driver Changes for Virtio Devices.
>
> Especially at:
>
> +struct mic_copy_desc {
> +#ifdef __KERNEL__
> + struct iovec __user *iov;
> +#else
> + struct iovec *iov;
> +#endif
> + int iovcnt;
> + __u8 vr_idx;
> + __u8 update_used;
> + __u32 out_len;
> +};
>
> Seeing iovcnt being declared as a signed integer seems strange. The
> first question would be: why is it signed rather than unsigned ?
>
> Then, looking further into
>
> drivers/misc/mic/host/mic_virtio.c:_mic_virtio_copy()
>
> We can see that the while() loop iterates until the local variable
> iovcnt reaches the value 0 (and iovcnt is also a signed integer). If
> user-space passes e.g. INT_MIN as iovcnt field, this loop then appears
> to depend on an undefined behavior (signed underflow) to complete.
> Wouldn't it be better to use an unsigned integers both in the
> userspace API and for the local variable ?
Better yet, it should be a "__" type variable, as "int" doesn't mean
much when crossing the user/kernel boundry...
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Intel MIC host driver: possible signed underflow (undefined behavior) in userspace API
2014-01-10 14:21 ` Greg Kroah-Hartman
@ 2014-01-10 18:22 ` Sudeep Dutt
2014-01-10 20:43 ` Greg Kroah-Hartman
0 siblings, 1 reply; 4+ messages in thread
From: Sudeep Dutt @ 2014-01-10 18:22 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Mathieu Desnoyers, Ashutosh Dixit, Caz Yokoyama,
Dasaratharaman Chandramouli, Nikhil Rao, Harshavardhan R Kharche,
Peter P Waskiewicz Jr, Linux Kernel Mailing List, Sudeep Dutt
On Fri, 2014-01-10 at 06:21 -0800, Greg Kroah-Hartman wrote:
> On Fri, Jan 10, 2014 at 05:56:25AM +0000, Mathieu Desnoyers wrote:
> > Hi,
> >
> > Looking at this commit:
> >
> > commit f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5
> > Author: Ashutosh Dixit <ashutosh.dixit@intel.com>
> > Date: Thu Sep 5 16:42:18 2013 -0700
> >
> > Intel MIC Host Driver Changes for Virtio Devices.
> >
> > Especially at:
> >
> > +struct mic_copy_desc {
> > +#ifdef __KERNEL__
> > + struct iovec __user *iov;
> > +#else
> > + struct iovec *iov;
> > +#endif
> > + int iovcnt;
> > + __u8 vr_idx;
> > + __u8 update_used;
> > + __u32 out_len;
> > +};
> >
> > Seeing iovcnt being declared as a signed integer seems strange. The
> > first question would be: why is it signed rather than unsigned ?
> >
> > Then, looking further into
> >
> > drivers/misc/mic/host/mic_virtio.c:_mic_virtio_copy()
> >
> > We can see that the while() loop iterates until the local variable
> > iovcnt reaches the value 0 (and iovcnt is also a signed integer). If
> > user-space passes e.g. INT_MIN as iovcnt field, this loop then appears
> > to depend on an undefined behavior (signed underflow) to complete.
> > Wouldn't it be better to use an unsigned integers both in the
> > userspace API and for the local variable ?
>
> Better yet, it should be a "__" type variable, as "int" doesn't mean
> much when crossing the user/kernel boundry...
>
We had designed the interface to be similar to readv(..)/writev(..)
which takes an integer iovcnt. However, the suggestion to use __u32
works nicely since it avoids adding the missing integer parameter
validation in the driver. We will post a patch incorporating this
feedback for the next kernel release.
Thanks to Mathieu for reporting this issue.
Sudeep Dutt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Intel MIC host driver: possible signed underflow (undefined behavior) in userspace API
2014-01-10 18:22 ` Sudeep Dutt
@ 2014-01-10 20:43 ` Greg Kroah-Hartman
0 siblings, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2014-01-10 20:43 UTC (permalink / raw)
To: Sudeep Dutt
Cc: Mathieu Desnoyers, Ashutosh Dixit, Caz Yokoyama,
Dasaratharaman Chandramouli, Nikhil Rao, Harshavardhan R Kharche,
Peter P Waskiewicz Jr, Linux Kernel Mailing List
On Fri, Jan 10, 2014 at 10:22:55AM -0800, Sudeep Dutt wrote:
> On Fri, 2014-01-10 at 06:21 -0800, Greg Kroah-Hartman wrote:
> > On Fri, Jan 10, 2014 at 05:56:25AM +0000, Mathieu Desnoyers wrote:
> > > Hi,
> > >
> > > Looking at this commit:
> > >
> > > commit f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5
> > > Author: Ashutosh Dixit <ashutosh.dixit@intel.com>
> > > Date: Thu Sep 5 16:42:18 2013 -0700
> > >
> > > Intel MIC Host Driver Changes for Virtio Devices.
> > >
> > > Especially at:
> > >
> > > +struct mic_copy_desc {
> > > +#ifdef __KERNEL__
> > > + struct iovec __user *iov;
> > > +#else
> > > + struct iovec *iov;
> > > +#endif
> > > + int iovcnt;
> > > + __u8 vr_idx;
> > > + __u8 update_used;
> > > + __u32 out_len;
> > > +};
Oh, there's also the obvious 32/64 bit userspace/kernel issue here as
well, but I'm sure you all know how to handle that properly. It would
be nice to fix that up, if you can change the ABI still.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-01-10 20:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1151498255.5788.1389332631491.JavaMail.zimbra@efficios.com>
2014-01-10 5:56 ` Intel MIC host driver: possible signed underflow (undefined behavior) in userspace API Mathieu Desnoyers
2014-01-10 14:21 ` Greg Kroah-Hartman
2014-01-10 18:22 ` Sudeep Dutt
2014-01-10 20:43 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).