Received: by 10.223.176.5 with SMTP id f5csp898958wra; Fri, 2 Feb 2018 07:55:52 -0800 (PST) X-Google-Smtp-Source: AH8x224DefXeBhzEQFt/vPmr5ppBaecNdAty8y+cXQy6P02iuagzmFH65f5w9RB/wU3mKMAzJoGQ X-Received: by 10.98.14.208 with SMTP id 77mr2174831pfo.99.1517586952314; Fri, 02 Feb 2018 07:55:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517586952; cv=none; d=google.com; s=arc-20160816; b=p3lqB2+Nsn08tu40kiqgcUIOi6Np7yX8e9VybvMOFKsJAASgRWdry++cR0h0wnTcqj AKMKsWMLxnyvcyYMdgTLS+wAmvJV9AshaLucdBrTzZKrhn4ZT95eIGj6oApMY6xU70bR irzdXTdsRfcgXNWuzbbeMOCVpzlGfCGgjyLdq0Rwp7ziBVLpclMGM7kE7E1NG9R2n/El xE0k+dVWoGYwB1ShPtgmVxPRs//sDQvNRMToRHJ57xYSmrVodMyH1dWFvQsR1qVYUsvn xrEOmYvUAtH9Paz9ozds0Xno4bYQcXNFneOH27L58zUgKbSXK+bpYV2UxJsNYF7GBthG CJcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=BcMrUeQqtUs0WROgTUEiQuqC2morbj45one5eAdz7Zg=; b=J7jjyUwj0dXvQiJ0LiHpLCRcrCP3k9blqTxDMCy4N95P7PhQWmGhySO4Sq1ljDk8vd wKJh5vf4Q7BO+EIuTnXl7OC9ThYj0buObv65L6szcYyCmEES21giEC6paLIAr7gYTWah vKqIuz8oAwAl6B+zHu8Ti+xyzVNWnfMRGoZKIwEAbJInOC6dRtTiC1rSOjUOnlyOfdi6 liaWC6pA8mCpNRqHtxyG7LJwe10W1EfAkEHNXJgHI3IXnIKd5F2m3JOHGcaD7pW0cDpy hjgECp9x4rKV0yGN8S1/FnL2GXbYO1h2u2kYvWwlsbY2gZCAUvfBuPw+msj1tIz1hehf 1zAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=F4X7V8z1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b187si1986859pfg.66.2018.02.02.07.55.37; Fri, 02 Feb 2018 07:55:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=F4X7V8z1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751972AbeBBPyi (ORCPT + 99 others); Fri, 2 Feb 2018 10:54:38 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:34662 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751737AbeBBPyd (ORCPT ); Fri, 2 Feb 2018 10:54:33 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w12FqZTq075443; Fri, 2 Feb 2018 15:53:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=BcMrUeQqtUs0WROgTUEiQuqC2morbj45one5eAdz7Zg=; b=F4X7V8z176KWve6lVHz4+8gjT+5J5J4XQZD4rpiWVBMP4nT0LpKfW3XpTJut2NNXJvXa x0Va1cAVjD7zMkxaoGwDTz1PF7fkYLhx0KHrBhc1V6w6MvBqXX1ZDP8DsUZVUS8DR9IS TRCOwY1yTiH7spdgAIBvbW8bIVwj00KWSeSXqLRC56EtfnfoJgzPhcSjKw9fjJrJ2VTA EwQrQrPQRqbO3BvfMQKdlOdtIze+o0/79BWSJxBjAbgEHDymOy0yoO36bV3AfpUA22RT trdVc9lhzhRLcNoiLJx0IH5jMnTwdGfhFUTVlpw529CU5Ly8n6OlR98mqY9xt/X2k3c5 og== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2120.oracle.com with ESMTP id 2fvt838b69-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 02 Feb 2018 15:53:25 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w12FrOOl012969 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 2 Feb 2018 15:53:24 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w12FrNww022589; Fri, 2 Feb 2018 15:53:23 GMT Received: from mwanda (/41.202.241.39) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 02 Feb 2018 07:53:22 -0800 Date: Fri, 2 Feb 2018 18:53:09 +0300 From: Dan Carpenter To: Arnd Bergmann Cc: Boris Ostrovsky , Juergen Gross , Nicolas Pitre , Andi Kleen , Jan Beulich , xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] xen: hypercall: fix out-of-bounds memcpy Message-ID: <20180202155309.2xg2gjcp7wb7bbpe@mwanda> References: <20180202153240.1190361-1-arnd@arndb.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180202153240.1190361-1-arnd@arndb.de> User-Agent: NeoMutt/20170609 (1.8.3) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8793 signatures=668661 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802020196 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 02, 2018 at 04:32:31PM +0100, Arnd Bergmann wrote: > The legacy hypercall handlers were originally added with > a comment explaining that "copying the argument structures in > HYPERVISOR_event_channel_op() and HYPERVISOR_physdev_op() into the local > variable is sufficiently safe" and only made sure to not write > past the end of the argument structure, the checks in linux/string.h > disagree with that, when link-time optimizations are used: > > In function 'memcpy', > inlined from 'pirq_query_unmask' at drivers/xen/fallback.c:53:2, > inlined from '__startup_pirq' at drivers/xen/events/events_base.c:529:2, > inlined from 'restore_pirqs' at drivers/xen/events/events_base.c:1439:3, > inlined from 'xen_irq_resume' at drivers/xen/events/events_base.c:1581:2: > include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter > __read_overflow2(); > ^ > make[3]: *** [ccLujFNx.ltrans15.ltrans.o] Error 1 > make[3]: Target 'all' not remade because of errors. > lto-wrapper: fatal error: make returned 2 exit status > compilation terminated. > ld: error: lto-wrapper failed > It was a more naive era. :P > This changes the functions so that each argument is accessed with > exactly the correct length based on the command code. > > Fixes: cf47a83fb06e ("xen/hypercall: fix hypercall fallback code for very old hypervisors") > Signed-off-by: Arnd Bergmann > --- > drivers/xen/fallback.c | 94 ++++++++++++++++++++++++++++---------------------- > 1 file changed, 53 insertions(+), 41 deletions(-) > > diff --git a/drivers/xen/fallback.c b/drivers/xen/fallback.c > index b04fb64c5a91..eded8dd821ad 100644 > --- a/drivers/xen/fallback.c > +++ b/drivers/xen/fallback.c > @@ -7,75 +7,87 @@ > > int xen_event_channel_op_compat(int cmd, void *arg) > { > - struct evtchn_op op; > + struct evtchn_op op = { .cmd = cmd, }; > + size_t len; > int rc; > > - op.cmd = cmd; > - memcpy(&op.u, arg, sizeof(op.u)); > - rc = _hypercall1(int, event_channel_op_compat, &op); > - > switch (cmd) { > + case EVTCHNOP_bind_interdomain: > + len = sizeof(struct evtchn_bind_interdomain); > + break; This was in the original code, but I'm slightly surpprised that we're using a switch statement here instead of a table. I would have thought this is a fast path but I don't know xen at all. regards, dan carpenter