From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6BA1DC433ED for ; Thu, 22 Apr 2021 01:16:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3547461424 for ; Thu, 22 Apr 2021 01:16:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238499AbhDVBQg (ORCPT ); Wed, 21 Apr 2021 21:16:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235242AbhDVBQg (ORCPT ); Wed, 21 Apr 2021 21:16:36 -0400 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51279C06174A for ; Wed, 21 Apr 2021 18:16:02 -0700 (PDT) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux)) id 1lZNwn-007BKe-42; Thu, 22 Apr 2021 01:16:01 +0000 Date: Thu, 22 Apr 2021 01:16:01 +0000 From: Al Viro To: Tavis Ormandy Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once" Message-ID: References: <20210421130105.1226686-1-gregkh@linuxfoundation.org> <20210421130105.1226686-187-gregkh@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 21, 2021 at 03:14:29PM -0000, Tavis Ormandy wrote: > On 2021-04-21, Greg Kroah-Hartman wrote: > > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba. > > > > - *((struct vbg_ioctl_hdr *)buf) = hdr; > > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), > > - hdr.size_in - sizeof(hdr))) { > > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) { > > ret = -EFAULT; > > goto out; > > } > > This one seems like a real bugfix, otherwise there's a double-fetch from > userspace, and a TOCTOU with the hdr fields that could cause a OOB read. ACK, except that typecasts in there are messy as hell. But that's, alas, consistent with the rest of the function... Patch itself is correct, and AFAICS Wenwen Wang might be an innocent collateral damage from that mess - commits from that source appear to be fairly well-written.