From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.7 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C9A83C433B4
	for <linux-kernel@archiver.kernel.org>; Wed, 21 Apr 2021 15:20:08 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 99F446144B
	for <linux-kernel@archiver.kernel.org>; Wed, 21 Apr 2021 15:20:08 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243921AbhDUPUk (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 21 Apr 2021 11:20:40 -0400
Received: from ciao.gmane.io ([116.202.254.214]:40106 "EHLO ciao.gmane.io"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234308AbhDUPUh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Apr 2021 11:20:37 -0400
Received: from list by ciao.gmane.io with local (Exim 4.92)
        (envelope-from <glk-linux-kernel-4@m.gmane-mx.org>)
        id 1lZEe2-0005hj-2h
        for linux-kernel@vger.kernel.org; Wed, 21 Apr 2021 17:20:02 +0200
X-Injected-Via-Gmane: http://gmane.org/
To:     linux-kernel@vger.kernel.org
From:   Tavis Ormandy <taviso@gmail.com>
Subject: Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the
 request-header once"
Date:   Wed, 21 Apr 2021 15:14:29 -0000 (UTC)
Message-ID: <s5pfgl$all$1@ciao.gmane.io>
References: <20210421130105.1226686-1-gregkh@linuxfoundation.org>
 <20210421130105.1226686-187-gregkh@linuxfoundation.org>
User-Agent: slrn/pre1.0.4-5 (Linux)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2021-04-21, Greg Kroah-Hartman wrote:
> This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba.
>
> -	*((struct vbg_ioctl_hdr *)buf) = hdr;
> -	if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr),
> -			   hdr.size_in - sizeof(hdr))) {
> +	if (copy_from_user(buf, (void *)arg, hdr.size_in)) {
>  		ret = -EFAULT;
>  		goto out;
>  	}

This one seems like a real bugfix, otherwise there's a double-fetch from
userspace, and a TOCTOU with the hdr fields that could cause a OOB read.

Reviewed-by: Tavis Ormandy <taviso@gmail.com>

Tavis.


-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@sdf.org
_\_V _( ) _( )  @taviso