From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-10.2 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 14061C07E9B
	for <linux-kernel@archiver.kernel.org>; Tue, 20 Jul 2021 21:45:04 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id E98E660E0C
	for <linux-kernel@archiver.kernel.org>; Tue, 20 Jul 2021 21:45:03 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234441AbhGTVEP (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Tue, 20 Jul 2021 17:04:15 -0400
Received: from jabberwock.ucw.cz ([46.255.230.98]:41514 "EHLO
        jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232902AbhGTVEE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Jul 2021 17:04:04 -0400
Received: by jabberwock.ucw.cz (Postfix, from userid 1017)
        id 3D63E1C0B77; Tue, 20 Jul 2021 23:44:39 +0200 (CEST)
Date:   Tue, 20 Jul 2021 23:44:38 +0200
From:   Pavel Machek <pavel@denx.de>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-kernel@vger.kernel.org, stable@vger.kernel.org,
        Xie Yongji <xieyongji@bytedance.com>,
        Jason Wang <jasowang@redhat.com>,
        "Michael S. Tsirkin" <mst@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 4.4 175/188] virtio_console: Assure used length from
 device is limited
Message-ID: <20210720214438.GA704@amd>
References: <20210719144913.076563739@linuxfoundation.org>
 <20210719144942.209087475@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ"
Content-Disposition: inline
In-Reply-To: <20210719144942.209087475@linuxfoundation.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

> From: Xie Yongji <xieyongji@bytedance.com>
>=20
> [ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ]
>=20
> The buf->len might come from an untrusted device. This
> ensures the value would not exceed the size of the buffer
> to avoid data corruption or loss.

Since we are not trusting the other side, do we need to use _nospec
variants to prevent speculation attacks?

Best regards,
								Pavel

> +++ b/drivers/char/virtio_console.c
> @@ -487,7 +487,7 @@ static struct port_buffer *get_inbuf(struct port *por=
t)
> =20
>  	buf =3D virtqueue_get_buf(port->in_vq, &len);
>  	if (buf) {
> -		buf->len =3D len;
> +		buf->len =3D min_t(size_t, len, buf->size);
>  		buf->offset =3D 0;
>  		port->stats.bytes_received +=3D len;
>  	}
> @@ -1752,7 +1752,7 @@ static void control_work_handler(struct work_struct=
 *work)
>  	while ((buf =3D virtqueue_get_buf(vq, &len))) {
>  		spin_unlock(&portdev->c_ivq_lock);
> =20
> -		buf->len =3D len;
> +		buf->len =3D min_t(size_t, len, buf->size);
>  		buf->offset =3D 0;
> =20
>  		handle_control_message(vq->vdev, portdev, buf);

--=20
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

--mP3DRpeJDSE+ciuQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAmD3Q8YACgkQMOfwapXb+vKqCwCffZCpFKyIt0tiFNZIsq+ffY/j
7g0AnRf+GBNJfgmaVNDDa+qTu3JoZttl
=KJz6
-----END PGP SIGNATURE-----

--mP3DRpeJDSE+ciuQ--