Received: by 10.223.176.5 with SMTP id f5csp645459wra;
        Sat, 3 Feb 2018 07:15:05 -0800 (PST)
X-Google-Smtp-Source: AH8x226u/rlhwHxoEhA3TqWsgdZhJVTAC5gUNIqHtvwAl8w9O64PNWFx9hjtLWMl6DSZOhk3AR4F
X-Received: by 10.98.0.17 with SMTP id 17mr5516301pfa.63.1517670905531;
        Sat, 03 Feb 2018 07:15:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517670905; cv=none;
        d=google.com; s=arc-20160816;
        b=Hm51TIYojO5tSn57hGmjCRuooRxC7Js3GhJvPq8jOpdU1L7XlkSuG6VDBMwM5Nkzw1
         pN2jCjjKfgH3IOvD1/onLFCxrbx7sEa4+yVLkN9KYFJV1J8PW6Y0ZOpG1aqlaBVrfiG6
         zbueNixgBmNZaJ+lqGgodXGEMj0k94GLL5gU3l7Hf15MmIVruHD0V80WhehjovAQoXNE
         NDTXoutpkZE9Usljxlw6eznuBT3ObeEHbQ8fcXYGSczzU+mKOV3EJKvWcuXErZYaKTQU
         mVan5AUqG7lCUovb09cnIJZQfLgb7pl49U+sNWBIBMevStGf68TxizEQdannX45OVdkJ
         R+YQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=ACiRaD9RssR390K5KtdYWPGqrDDzFKK4ZGAT8l++Jq0=;
        b=HOOCQN4dkwfxCh5Ay7RsmV8jqEWCQoo4qa+vftfEzMY4bAmEPazyc6uPX3e2KC5ey+
         HuaT4MGpj9EdOxntkA6DhJv4ERwx+SuefxKqr9pe8tn/ecW4f44bpNhY9X69kRA9nAL0
         FTbE+uPzwfLv3xGOQrnZcJqUpdWBJuu+VwQ+8SRQsOhbNGM2/zYdPH4c8J3/yLpbq5DO
         1sHz+w+31Jw/dE5b96jiOGR/9JfHze5nmk+p6oHOIdJcOOU24HjrCgU/O0s2A1j+APgX
         7O7Sg9v584oaLh/19rfUiySqADMfdeWYVCkQDqtuI/xZf7+AlzUevRW5XgWa60Z5iXHP
         zfxg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=XrFf5QII;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l5si2701511pgo.794.2018.02.03.07.14.50;
        Sat, 03 Feb 2018 07:15:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=XrFf5QII;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752582AbeBCPMc (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Sat, 3 Feb 2018 10:12:32 -0500
Received: from mail-ot0-f194.google.com ([74.125.82.194]:37462 "EHLO
        mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752039AbeBCPM1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 3 Feb 2018 10:12:27 -0500
Received: by mail-ot0-f194.google.com with SMTP id e64so3255674ote.4
        for <linux-kernel@vger.kernel.org>; Sat, 03 Feb 2018 07:12:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=ACiRaD9RssR390K5KtdYWPGqrDDzFKK4ZGAT8l++Jq0=;
        b=XrFf5QIIkQq01+XWXo8ZSw5S7NqiUvH49rpHOW+Z5MLMjGDXm4jU7YhusjXK04SIxL
         Y4pRQhstMxGJoXP80kGU1KFMCfvEXegq5EL9n2USzxIITIAVcd1Oso0dx9nGZhdxiNHH
         VFmwBMUumxK5pVPWw1lSBukQh9vjzRukGnQfseEdtTFvpZIuZzRyVh6d2evpDiE1KipI
         rDJZU8c8fEP5Yf3gWuKcOqgzw6EKXW1DodvM4znzl/KMfTehBw4/NnOlyvDPgNahGVpa
         7CGBORKOobZ297p98eHZ8A+h0UsFc4l6EjSprvGbHdVo5yjM8tVboRwxyKa9Ep0wlY+7
         Qu6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=ACiRaD9RssR390K5KtdYWPGqrDDzFKK4ZGAT8l++Jq0=;
        b=B/MO0XXXLkzNFefd7ZXlJ7LGXxU2bxb4yHhxbkbjDLoA0JiuIPMFLfTqqMKdENqBEk
         xuhrAof0ZeMrmDsiWDD/c/raxOptGqMQWEIRkLTwEUr11xh9WtNNd8Vo7fSLfQbhObmC
         aUnhBpTWi48DybISKsgxnZmswulNKsVyf0lXavKGdfbQ2YpTbuKzsS9nDT4QmRFiz3i5
         AG4I6cXArycrfr5ifYx5hg5sxPMiyYgug+Kjh29ETU4Q+ek9nFm22GpHM8crkEfuSimf
         ZDIjHJpkKj7FD1QhzjzDqZ/SWxd0nwF/XHOGbeTK2k+aRXGB+oI5hTox6ON1/Z8l+2nd
         +xHA==
X-Gm-Message-State: AKwxytfnoVm5HkyuYuzYUyFve29L/01/hJUnFUPtd+Wwkz5R3TsetujQ
        G7Qy3BM17/ibsUss9NszcHz2CFClegvgIftH6Hc=
X-Received: by 10.157.9.220 with SMTP id 28mr14118870otz.363.1517670746547;
 Sat, 03 Feb 2018 07:12:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.68.33 with HTTP; Sat, 3 Feb 2018 07:12:26 -0800 (PST)
In-Reply-To: <aa6e25c7-dc55-a5bf-39cb-8b9453604111@oracle.com>
References: <20180202153240.1190361-1-arnd@arndb.de> <aa6e25c7-dc55-a5bf-39cb-8b9453604111@oracle.com>
From:   Arnd Bergmann <arnd@arndb.de>
Date:   Sat, 3 Feb 2018 16:12:26 +0100
X-Google-Sender-Auth: U19QGXl6zMHn4IyZydIohMrxwzI
Message-ID: <CAK8P3a2AdziKXR=4LwMzUdoL2q2WXYZZz1uM9yh6VX2FbpqnnA@mail.gmail.com>
Subject: Re: [PATCH] xen: hypercall: fix out-of-bounds memcpy
To:     Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc:     Juergen Gross <jgross@suse.com>, Nicolas Pitre <nico@linaro.org>,
        Andi Kleen <ak@linux.intel.com>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Jan Beulich <jbeulich@suse.com>,
        xen-devel <xen-devel@lists.xenproject.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Feb 3, 2018 at 12:33 AM, Boris Ostrovsky
<boris.ostrovsky@oracle.com> wrote:
> On 02/02/2018 10:32 AM, Arnd Bergmann wrote:
>> The legacy hypercall handlers were originally added with
>> a comment explaining that "copying the argument structures in
>> HYPERVISOR_event_channel_op() and HYPERVISOR_physdev_op() into the local
>> variable is sufficiently safe" and only made sure to not write
>> past the end of the argument structure, the checks in linux/string.h
>> disagree with that, when link-time optimizations are used:
>>
>> In function 'memcpy',
>>     inlined from 'pirq_query_unmask' at drivers/xen/fallback.c:53:2,
>>     inlined from '__startup_pirq' at drivers/xen/events/events_base.c:529:2,
>>     inlined from 'restore_pirqs' at drivers/xen/events/events_base.c:1439:3,
>>     inlined from 'xen_irq_resume' at drivers/xen/events/events_base.c:1581:2:
>> include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
>>    __read_overflow2();
>>    ^
>> make[3]: *** [ccLujFNx.ltrans15.ltrans.o] Error 1
>> make[3]: Target 'all' not remade because of errors.
>> lto-wrapper: fatal error: make returned 2 exit status
>> compilation terminated.
>> ld: error: lto-wrapper failed
>>
>> This changes the functions so that each argument is accessed with
>> exactly the correct length based on the command code.
>>
>> Fixes: cf47a83fb06e ("xen/hypercall: fix hypercall fallback code for very old hypervisors")
>> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
>> ---
>>  drivers/xen/fallback.c | 94 ++++++++++++++++++++++++++++----------------------
>>  1 file changed, 53 insertions(+), 41 deletions(-)
>>

>>       default:
>> -             WARN_ON(rc != -ENOSYS);
>> -             break;
>> +             return -ENOSYS;
>>       }
>>
>> +     memcpy(&op.u, arg, len);
>> +     rc = _hypercall1(int, event_channel_op_compat, &op);
>> +     memcpy(arg, &op.u, len);
>
>
> We don't copy back for all commands, only those that are COPY_BACK.

Not sure what you mean. Is it harmful to copy back the data for the others
in any way? Otherwise I wouldn't micro-optimize this.

        Arnd