From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752665AbeBCRIg (ORCPT ); Sat, 3 Feb 2018 12:08:36 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:57546 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752026AbeBCRI1 (ORCPT ); Sat, 3 Feb 2018 12:08:27 -0500 Subject: Re: [PATCH] xen: hypercall: fix out-of-bounds memcpy To: Arnd Bergmann Cc: Juergen Gross , Nicolas Pitre , Andi Kleen , Dan Carpenter , Jan Beulich , xen-devel , Linux Kernel Mailing List References: <20180202153240.1190361-1-arnd@arndb.de> From: Boris Ostrovsky Message-ID: <1e3424f4-771b-51ad-3630-0faf47e388e0@oracle.com> Date: Sat, 3 Feb 2018 12:08:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8794 signatures=668662 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802030229 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/03/2018 10:12 AM, Arnd Bergmann wrote: > On Sat, Feb 3, 2018 at 12:33 AM, Boris Ostrovsky > wrote: >> On 02/02/2018 10:32 AM, Arnd Bergmann wrote: >>> The legacy hypercall handlers were originally added with >>> a comment explaining that "copying the argument structures in >>> HYPERVISOR_event_channel_op() and HYPERVISOR_physdev_op() into the local >>> variable is sufficiently safe" and only made sure to not write >>> past the end of the argument structure, the checks in linux/string.h >>> disagree with that, when link-time optimizations are used: >>> >>> In function 'memcpy', >>> inlined from 'pirq_query_unmask' at drivers/xen/fallback.c:53:2, >>> inlined from '__startup_pirq' at drivers/xen/events/events_base.c:529:2, >>> inlined from 'restore_pirqs' at drivers/xen/events/events_base.c:1439:3, >>> inlined from 'xen_irq_resume' at drivers/xen/events/events_base.c:1581:2: >>> include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter >>> __read_overflow2(); >>> ^ >>> make[3]: *** [ccLujFNx.ltrans15.ltrans.o] Error 1 >>> make[3]: Target 'all' not remade because of errors. >>> lto-wrapper: fatal error: make returned 2 exit status >>> compilation terminated. >>> ld: error: lto-wrapper failed >>> >>> This changes the functions so that each argument is accessed with >>> exactly the correct length based on the command code. >>> >>> Fixes: cf47a83fb06e ("xen/hypercall: fix hypercall fallback code for very old hypervisors") >>> Signed-off-by: Arnd Bergmann >>> --- >>> drivers/xen/fallback.c | 94 ++++++++++++++++++++++++++++---------------------- >>> 1 file changed, 53 insertions(+), 41 deletions(-) >>> > >>> default: >>> - WARN_ON(rc != -ENOSYS); >>> - break; >>> + return -ENOSYS; >>> } >>> >>> + memcpy(&op.u, arg, len); >>> + rc = _hypercall1(int, event_channel_op_compat, &op); >>> + memcpy(arg, &op.u, len); >> >> >> We don't copy back for all commands, only those that are COPY_BACK. > > Not sure what you mean. Is it harmful to copy back the data for the others > in any way? Otherwise I wouldn't micro-optimize this. I should have checked the original commit for fallback.c --- the code that it replaced was doing copybacks for all hypercalls and selective copybacks is an optimization introduced in that commit. -boris