[PATCH] net: vmw_vsock: vmci: Check memcpy_from_msg()

[PATCH] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Artem Chernyshev]

We returns from vmci_transport_dgram_enqueue() with error
if memcpy goes wrong

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
 net/vmw_vsock/vmci_transport.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 842c94286d31..7994090e0314 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1711,7 +1711,8 @@ static int vmci_transport_dgram_enqueue(
 	if (!dg)
 		return -ENOMEM;
 
-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len))
+		return -EFAULT;
 
 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
 				   remote_addr->svm_port);
-- 
2.30.3

Re: [PATCH] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Vishnu Dasa]

> On Dec 2, 2022, at 2:58 PM, Artem Chernyshev <artem.chernyshev@red-soft.ru> wrote:
> 
> We returns from vmci_transport_dgram_enqueue() with error
> if memcpy goes wrong

Thanks for the patch.

Nit: could you please update the description?  Maybe something like -
vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). Return with an error if the memcpy fails.

> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
> ---
> net/vmw_vsock/vmci_transport.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> index 842c94286d31..7994090e0314 100644
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
> @@ -1711,7 +1711,8 @@ static int vmci_transport_dgram_enqueue(
> 	if (!dg)
> 		return -ENOMEM;
> 
> -	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> +	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len))

Need to free dg using kfree() before returning.

> +		return -EFAULT;
> 
> 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
> 				   remote_addr->svm_port);
> -- 
> 2.30.3
> 

Re: [PATCH] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Artem Chernyshev]

Hi,
On Sat, Dec 03, 2022 at 01:17:33AM +0000, Vishnu Dasa wrote:
> 
> 
> > On Dec 2, 2022, at 2:58 PM, Artem Chernyshev <artem.chernyshev@red-soft.ru> wrote:
> > 
> > We returns from vmci_transport_dgram_enqueue() with error
> > if memcpy goes wrong
> 
> Thanks for the patch.
> 
> Nit: could you please update the description?  Maybe something like -
> vmci_transport_dgram_enqueue() does not check the return value
> of memcpy_from_msg(). Return with an error if the memcpy fails.
> 
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> > Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
> > ---
> > net/vmw_vsock/vmci_transport.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> > index 842c94286d31..7994090e0314 100644
> > --- a/net/vmw_vsock/vmci_transport.c
> > +++ b/net/vmw_vsock/vmci_transport.c
> > @@ -1711,7 +1711,8 @@ static int vmci_transport_dgram_enqueue(
> > 	if (!dg)
> > 		return -ENOMEM;
> > 
> > -	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> > +	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len))
> 
> Need to free dg using kfree() before returning.
> 
> > +		return -EFAULT;
> > 
> > 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
> > 				   remote_addr->svm_port);
> > -- 
> > 2.30.3
> > 
> 

Thanks for review. I'll fix flaws in a patch ASAP

Artem

[PATCH v2] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Artem Chernyshev]

vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). Return with an error if the memcpy fails.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
V1->V2 Fix memory leaking and updates for description

 net/vmw_vsock/vmci_transport.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 842c94286d31..c94c3deaa09d 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1711,7 +1711,10 @@ static int vmci_transport_dgram_enqueue(
 	if (!dg)
 		return -ENOMEM;
 
-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len)) {
+		kfree(dg);
+		return -EFAULT;
+	}
 
 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
 				   remote_addr->svm_port);
-- 
2.30.3

Re: [PATCH v2] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Stefano Garzarella]

On Sat, Dec 03, 2022 at 11:33:12AM +0300, Artem Chernyshev wrote:
>vmci_transport_dgram_enqueue() does not check the return value
>of memcpy_from_msg(). Return with an error if the memcpy fails.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
>Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
>Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
>---
>V1->V2 Fix memory leaking and updates for description
>
> net/vmw_vsock/vmci_transport.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
>diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
>index 842c94286d31..c94c3deaa09d 100644
>--- a/net/vmw_vsock/vmci_transport.c
>+++ b/net/vmw_vsock/vmci_transport.c
>@@ -1711,7 +1711,10 @@ static int vmci_transport_dgram_enqueue(
> 	if (!dg)
> 		return -ENOMEM;
>
>-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
>+	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len)) {
>+		kfree(dg);
>+		return -EFAULT;

Since memcpy_from_msg() is a wrapper of copy_from_iter_full() that 
simply returns -EFAULT in case of an error, perhaps it would be better 
here to return the value of memcpy_from_msg() instead of wiring the 
error.

However in the end the behavior is the same, so even if you don't want 
to change it I'll leave my R-b:

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>

Thanks,
Stefano

Re: [PATCH v2] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Artem Chernyshev]

Hi,
On Mon, Dec 05, 2022 at 10:47:36AM +0100, Stefano Garzarella wrote:
> On Sat, Dec 03, 2022 at 11:33:12AM +0300, Artem Chernyshev wrote:
> > vmci_transport_dgram_enqueue() does not check the return value
> > of memcpy_from_msg(). Return with an error if the memcpy fails.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> > Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
> > ---
> > V1->V2 Fix memory leaking and updates for description
> > 
> > net/vmw_vsock/vmci_transport.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> > index 842c94286d31..c94c3deaa09d 100644
> > --- a/net/vmw_vsock/vmci_transport.c
> > +++ b/net/vmw_vsock/vmci_transport.c
> > @@ -1711,7 +1711,10 @@ static int vmci_transport_dgram_enqueue(
> > 	if (!dg)
> > 		return -ENOMEM;
> > 
> > -	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> > +	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len)) {
> > +		kfree(dg);
> > +		return -EFAULT;
> 
> Since memcpy_from_msg() is a wrapper of copy_from_iter_full() that simply
> returns -EFAULT in case of an error, perhaps it would be better here to
> return the value of memcpy_from_msg() instead of wiring the error.
> 
> However in the end the behavior is the same, so even if you don't want to
> change it I'll leave my R-b:
> 
> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
> 
> Thanks,
> Stefano

Thank you for review. Sure, I will change that in V3

Artem

[PATCH v3] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Artem Chernyshev]

vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). Return with an error if the memcpy fails.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
V1->V2 Fix memory leaking and updates for description
V2->V3 Return the value of memcpy_from_msg()

 net/vmw_vsock/vmci_transport.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 842c94286d31..36eb16a40745 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1711,7 +1711,11 @@ static int vmci_transport_dgram_enqueue(
 	if (!dg)
 		return -ENOMEM;
 
-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	if (err) {
+		kfree(dg);
+		return err;
+	}
 
 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
 				   remote_addr->svm_port);
-- 
2.30.3

Re: [PATCH v3] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Stefano Garzarella]

On Mon, Dec 05, 2022 at 02:52:00PM +0300, Artem Chernyshev wrote:
>vmci_transport_dgram_enqueue() does not check the return value
>of memcpy_from_msg(). Return with an error if the memcpy fails.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
>Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
>Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
>---
>V1->V2 Fix memory leaking and updates for description
>V2->V3 Return the value of memcpy_from_msg()
>
> net/vmw_vsock/vmci_transport.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>

Re: [PATCH v3] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Vishnu Dasa]

> On Dec 5, 2022, at 3:52 AM, Artem Chernyshev <artem.chernyshev@red-soft.ru> wrote:
> 
> vmci_transport_dgram_enqueue() does not check the return value
> of memcpy_from_msg(). Return with an error if the memcpy fails.

I think we can add some more information in the description.  Sorry, I
should've said this earlier.

vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg().  If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination.  Return with an error if
memcpy_from_msg() fails.

> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>

Thanks, Artem!  This version looks good to me modulo my suggestion
about the description above.

Reviewed-by: Vishnu Dasa <vdasa@vmware.com>

Regards,
Vishnu

> ---
> V1->V2 Fix memory leaking and updates for description
> V2->V3 Return the value of memcpy_from_msg()
> 
> net/vmw_vsock/vmci_transport.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> index 842c94286d31..36eb16a40745 100644
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
> @@ -1711,7 +1711,11 @@ static int vmci_transport_dgram_enqueue(
> 	if (!dg)
> 		return -ENOMEM;
> 
> -	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> +	err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> +	if (err) {
> +		kfree(dg);
> +		return err;
> +	}
> 
> 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
> 				   remote_addr->svm_port);
> -- 
> 2.30.3
> 

Re: [PATCH v3] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Artem Chernyshev]

Hi,
On Mon, Dec 05, 2022 at 11:03:47PM +0000, Vishnu Dasa wrote:
> 
> > On Dec 5, 2022, at 3:52 AM, Artem Chernyshev <artem.chernyshev@red-soft.ru> wrote:
> > 
> > vmci_transport_dgram_enqueue() does not check the return value
> > of memcpy_from_msg(). Return with an error if the memcpy fails.
> 
> I think we can add some more information in the description.  Sorry, I
> should've said this earlier.
> 
> vmci_transport_dgram_enqueue() does not check the return value
> of memcpy_from_msg().  If memcpy_from_msg() fails, it is possible that
> uninitialized memory contents are sent unintentionally instead of user's
> message in the datagram to the destination.  Return with an error if
> memcpy_from_msg() fails.
> 
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> > Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
> 
> Thanks, Artem!  This version looks good to me modulo my suggestion
> about the description above.
> 
> Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
> 
> Regards,
> Vishnu
> 
No problem, I'll change description in v4

Thanks,
Artem

[PATCH v4] net: vmw_vsock: vmci: Check memcpy_from_msg()

[Artem Chernyshev]

vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg().  If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination.  Return with an error if
memcpy_from_msg() fails.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
---
V1->V2 Fix memory leaking and updates for description
V2->V3 Return the value of memcpy_from_msg()
V3->V4 Updates for description

 net/vmw_vsock/vmci_transport.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 842c94286d31..36eb16a40745 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1711,7 +1711,11 @@ static int vmci_transport_dgram_enqueue(
 	if (!dg)
 		return -ENOMEM;
 
-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	if (err) {
+		kfree(dg);
+		return err;
+	}
 
 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
 				   remote_addr->svm_port);
-- 
2.30.3

Re: [PATCH v4] net: vmw_vsock: vmci: Check memcpy_from_msg()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Tue,  6 Dec 2022 09:58:34 +0300 you wrote:
> vmci_transport_dgram_enqueue() does not check the return value
> of memcpy_from_msg().  If memcpy_from_msg() fails, it is possible that
> uninitialized memory contents are sent unintentionally instead of user's
> message in the datagram to the destination.  Return with an error if
> memcpy_from_msg() fails.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> [...]

Here is the summary with links:
  - [v4] net: vmw_vsock: vmci: Check memcpy_from_msg()
    https://git.kernel.org/netdev/net/c/44aa5a6dba82

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html