[PATCH 1/3] tools: hv: fcopy_daemon: Check buffer limits

[PATCH 1/3] tools: hv: fcopy_daemon: Check buffer limits

[Matej Mužila]

From: Matej Mužila <mmuzila@redhat.com>

Check if cpmsg->size is in limits of DATA_FRAGMENT

Signed-off-by: Matej Mužila <mmuzila@redhat.com>
Acked-by:  K. Y. Srinivasan <kys@microsoft.com>
---
If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
read from memory outside of the buffer (defined at line 138).
Added check. 
---
@@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg)
 {
 	ssize_t bytes_written;
 
+	// Check if the cpmsg->size is in limits of DATA_FRAGMENT
+	if (cpmsg->size > DATA_FRAGMENT * sizeof(__u8))
+		return HV_E_FAIL;
+
 	bytes_written = pwrite(target_fd, cpmsg->data, cpmsg->size,
 				cpmsg->offset);

Re: [PATCH 1/3] tools: hv: fcopy_daemon: Check buffer limits

[One Thousand Gnomes]

On Tue, 21 Oct 2014 13:49:00 +0200
Matej Mužila <mmuzila@redhat.com> wrote:

> From: Matej Mužila <mmuzila@redhat.com>
> 
> Check if cpmsg->size is in limits of DATA_FRAGMENT
> 
> Signed-off-by: Matej Mužila <mmuzila@redhat.com>
> Acked-by:  K. Y. Srinivasan <kys@microsoft.com>
> ---
> If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
> read from memory outside of the buffer (defined at line 138).
> Added check. 
> ---
> @@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg)
>  {
>  	ssize_t bytes_written;
>  
> +	// Check if the cpmsg->size is in limits of DATA_FRAGMENT
> +	if (cpmsg->size > DATA_FRAGMENT * sizeof(__u8))
> +		return HV_E_FAIL;
> +

- C style comments for coding style, also sizeof(__u8) is by definition 1
  so it's perhaps surplus ?

Also your patch block is devoid of a few thins like the file name...

Re: [PATCH 1/3] tools: hv: fcopy_daemon: Check buffer limits

[Matej Mužila]

> sizeof(__u8) is by definition 1 so it's perhaps surplus ?
Now the size is now determined from the structure definition in
include/uapi/linux/hyperv.h

> - C style comments for coding style
Fixed

> Also your patch block is devoid of a few thins like the file name...
I'm sorry, the (missing) filename mistake occured in copy-paste process.


Here is the patch as it (I hope) should look like:
---
From: Matej Mužila <mmuzila@redhat.com>

Check if cpmsg->size is in limits of DATA_FRAGMENT

Signed-off-by: Matej Mužila <mmuzila@redhat.com>
---
If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
read from memory outside of the buffer (defined at line 138).
Added check. 
---
diff --git a/tools/hv/hv_fcopy_daemon.c b/tools/hv/hv_fcopy_daemon.c
index 6f27e2f..1fc2dc2 100644
--- a/tools/hv/hv_fcopy_daemon.c
+++ b/tools/hv/hv_fcopy_daemon.c
@@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg)
 {
 	ssize_t bytes_written;
 
+	/* Check if the cpmsg->size is in limits of DATA_FRAGMENT */
+	if (cpmsg->size > sizeof(cpmsg->data)) 
+		return HV_E_FAIL;
+
 	bytes_written = pwrite(target_fd, cpmsg->data, cpmsg->size,
 				cpmsg->offset);

Re: [PATCH 1/3] tools: hv: fcopy_daemon: Check buffer limits

[Dan Carpenter]

On Tue, Oct 21, 2014 at 02:59:58PM +0200, Matej Mužila wrote:
> > sizeof(__u8) is by definition 1 so it's perhaps surplus ?
> Now the size is now determined from the structure definition in
> include/uapi/linux/hyperv.h
> 
> > - C style comments for coding style
> Fixed
> 
> > Also your patch block is devoid of a few thins like the file name...
> I'm sorry, the (missing) filename mistake occured in copy-paste process.
> 

Copy and paste is very error prone...

> 
> Here is the patch as it (I hope) should look like:

This patch looks good, but please resend it as a proper v2 patch.

https://www.google.com/search?q=how+to+send+a+v2+patch

> ---
> From: Matej Mužila <mmuzila@redhat.com>
> 
> Check if cpmsg->size is in limits of DATA_FRAGMENT
> 
> Signed-off-by: Matej Mužila <mmuzila@redhat.com>
> ---
> If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
> read from memory outside of the buffer (defined at line 138).
> Added check. 

Put this information in the patch description and not beyond the cut
off.  That information is useful.

The cut off is meant for meta comentary to say what changed between v1
and v2 etc, which is nice to have but we don't want to preserve it.

regards,
dan carpenter

[PATCH v2 1/3] tools: hv: fcopy_daemon: Check buffer limits

[Matej Mužila]

From: Matej Mužila <mmuzila@redhat.com>

Check if cpmsg->size is in limits of DATA_FRAGMENT

Signed-off-by: Matej Mužila <mmuzila@redhat.com>
---

If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
read from memory outside of the buffer (defined at line 138).
Added check. 

Changes made since v1:
	* max value of cmesg->size is now derived from structure
	  definition in sources/include/uapi/linux/hyperv.h
	* Fixed comments


diff --git a/tools/hv/hv_fcopy_daemon.c b/tools/hv/hv_fcopy_daemon.c
index 6f27e2f..1fc2dc2 100644
--- a/tools/hv/hv_fcopy_daemon.c
+++ b/tools/hv/hv_fcopy_daemon.c
@@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg)
 {
 	ssize_t bytes_written;
 
+	/* Check if the cpmsg->size is in limits of DATA_FRAGMENT */
+	if (cpmsg->size > sizeof(cpmsg->data)) 
+		return HV_E_FAIL;
+
 	bytes_written = pwrite(target_fd, cpmsg->data, cpmsg->size,
 				cpmsg->offset);

Re: [PATCH v2 1/3] tools: hv: fcopy_daemon: Check buffer limits

[Greg KH]

On Tue, Oct 21, 2014 at 04:46:58PM +0200, Matej Mužila wrote:
> From: Matej Mužila <mmuzila@redhat.com>
> 
> Check if cpmsg->size is in limits of DATA_FRAGMENT
> 
> Signed-off-by: Matej Mužila <mmuzila@redhat.com>
> ---
> 
> If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
> read from memory outside of the buffer (defined at line 138).
> Added check. 
> 
> Changes made since v1:
> 	* max value of cmesg->size is now derived from structure
> 	  definition in sources/include/uapi/linux/hyperv.h
> 	* Fixed comments
> 
> 
> diff --git a/tools/hv/hv_fcopy_daemon.c b/tools/hv/hv_fcopy_daemon.c
> index 6f27e2f..1fc2dc2 100644
> --- a/tools/hv/hv_fcopy_daemon.c
> +++ b/tools/hv/hv_fcopy_daemon.c
> @@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg)
>  {
>  	ssize_t bytes_written;
>  
> +	/* Check if the cpmsg->size is in limits of DATA_FRAGMENT */
> +	if (cpmsg->size > sizeof(cpmsg->data)) 
> +		return HV_E_FAIL;
> +
>  	bytes_written = pwrite(target_fd, cpmsg->data, cpmsg->size,
>  				cpmsg->offset);
> 

ALWAYS run your patches through checkpatch before sending them, so you
don't get grumpy emails from maintainers telling you to do the same
thing...

Please fix this up and resend the whole series.

thanks,

greg k-h