Received: by 10.223.176.5 with SMTP id f5csp760933wra; Sat, 3 Feb 2018 09:39:50 -0800 (PST) X-Google-Smtp-Source: AH8x224Z6mWrW0e+5LS9n2EMZR+1Cvj2Husk+T2T3ut8zoa+ll9+SD1huT5niGKAYzYsYMBM3EEc X-Received: by 2002:a17:902:2863:: with SMTP id e90-v6mr35728575plb.382.1517679590015; Sat, 03 Feb 2018 09:39:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517679589; cv=none; d=google.com; s=arc-20160816; b=M0cJXQGCU2M6C4U4zOcZwl9Ae6caA3qO1nZyL8AOwqzbeD8Mwrm65wOSONVJ03xPkP mgsJY4UgW7bk7iAov5i+3fszLYM3vMqJLfCXo4CjSiddhdlXEgq/s4GL8+llASoMxzbB 9y2m5AOHNpKhCPBob7oeAO3+DI+ki+GUt2nMBAi8wYp0LCNGxjRgf6QEr0DhsA093NCH RUgxM9y41QcPN2RwfPK5/Q8XTNWPW38t0W3Nb7+shBzw74jnVKkXsIUXyPwn0iLMpXJQ 6bgXotufmDCy5RBoDcyNo8BWlzAKrqLl+n3pXAA8EgvCume2W+ZO4RDTI6h+nDduHRTg EC8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=uu+djsBuucmoBjD5vocq+tEL7iJrf7q3WPmTPq1Q4Do=; b=Ppcua+XIpeErA+teNuNgVEwiA2wGptOs/BqIj6ZYDnVVQnc3Aepxz7LG/2d3Uf+Ow0 lRvG3prmW4lfjAewDFY8ihvj5zv2n+lCeEztEbpIYRRHIBRmT78HVm/WJCkmhdk1y442 IM0++v6hW9CSD1OI5WyGLtvM8Pv4QNhYGiPEZhbFCwNlnP4IuPYJKlKPUDbrbhwRQRRl ed5lJSQ3gNdh8sIiWHwpiWrMrv8gZkNNtWx7FzUkWW9K+PfFjbyRBPIPHriYW+woPdVA +8mSptlaX2W/Rmvo7Raa8JfWIaxpDn0syRdcGE373NT9vf4dMOcKk1NrCAgwPhsuQTHn irCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ipKlMB9R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b29si1313313pfh.276.2018.02.03.09.39.01; Sat, 03 Feb 2018 09:39:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ipKlMB9R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752602AbeBCRIf (ORCPT + 99 others); Sat, 3 Feb 2018 12:08:35 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:57546 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752026AbeBCRI1 (ORCPT ); Sat, 3 Feb 2018 12:08:27 -0500 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w13H766M002134; Sat, 3 Feb 2018 17:08:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=uu+djsBuucmoBjD5vocq+tEL7iJrf7q3WPmTPq1Q4Do=; b=ipKlMB9RBsFolE6C9BLe6yFTaynr9PdKVLnPhFDo2d80tXwWv6EiceQVaoW00yDL2un/ QU9ePF5TJiUk2KnayBFnlhIMi2EtvULoMYfbX9tN8nEYvddJ4Nuh71Bk2ncne5QN5g03 dvNMHX08aFp6enTLc82Kc8bhKZRJXg5vrvGDGrQz6q/ISCezEMSx1XlQs8VMuopftjTj DFno31e1ZuMaSuDVxWUCzVxVltu1bLKsKUYAmENlqFhr33ACBEZcvvXDnAiuUyCxL02l l5MaViR3RyXnDW60gJ3B1nDTekD3DzAD4nOH0Cn1uL89Hls46pti4Wsl2c5PC4MjbOrV 9Q== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2130.oracle.com with ESMTP id 2fw2km19v8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 03 Feb 2018 17:08:19 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w13H8IuK005630 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sat, 3 Feb 2018 17:08:18 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w13H8GMe016728; Sat, 3 Feb 2018 17:08:17 GMT Received: from [10.0.2.15] (/24.218.178.67) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 03 Feb 2018 09:08:16 -0800 Subject: Re: [PATCH] xen: hypercall: fix out-of-bounds memcpy To: Arnd Bergmann Cc: Juergen Gross , Nicolas Pitre , Andi Kleen , Dan Carpenter , Jan Beulich , xen-devel , Linux Kernel Mailing List References: <20180202153240.1190361-1-arnd@arndb.de> From: Boris Ostrovsky Message-ID: <1e3424f4-771b-51ad-3630-0faf47e388e0@oracle.com> Date: Sat, 3 Feb 2018 12:08:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8794 signatures=668662 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802030229 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/03/2018 10:12 AM, Arnd Bergmann wrote: > On Sat, Feb 3, 2018 at 12:33 AM, Boris Ostrovsky > wrote: >> On 02/02/2018 10:32 AM, Arnd Bergmann wrote: >>> The legacy hypercall handlers were originally added with >>> a comment explaining that "copying the argument structures in >>> HYPERVISOR_event_channel_op() and HYPERVISOR_physdev_op() into the local >>> variable is sufficiently safe" and only made sure to not write >>> past the end of the argument structure, the checks in linux/string.h >>> disagree with that, when link-time optimizations are used: >>> >>> In function 'memcpy', >>> inlined from 'pirq_query_unmask' at drivers/xen/fallback.c:53:2, >>> inlined from '__startup_pirq' at drivers/xen/events/events_base.c:529:2, >>> inlined from 'restore_pirqs' at drivers/xen/events/events_base.c:1439:3, >>> inlined from 'xen_irq_resume' at drivers/xen/events/events_base.c:1581:2: >>> include/linux/string.h:350:3: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter >>> __read_overflow2(); >>> ^ >>> make[3]: *** [ccLujFNx.ltrans15.ltrans.o] Error 1 >>> make[3]: Target 'all' not remade because of errors. >>> lto-wrapper: fatal error: make returned 2 exit status >>> compilation terminated. >>> ld: error: lto-wrapper failed >>> >>> This changes the functions so that each argument is accessed with >>> exactly the correct length based on the command code. >>> >>> Fixes: cf47a83fb06e ("xen/hypercall: fix hypercall fallback code for very old hypervisors") >>> Signed-off-by: Arnd Bergmann >>> --- >>> drivers/xen/fallback.c | 94 ++++++++++++++++++++++++++++---------------------- >>> 1 file changed, 53 insertions(+), 41 deletions(-) >>> > >>> default: >>> - WARN_ON(rc != -ENOSYS); >>> - break; >>> + return -ENOSYS; >>> } >>> >>> + memcpy(&op.u, arg, len); >>> + rc = _hypercall1(int, event_channel_op_compat, &op); >>> + memcpy(arg, &op.u, len); >> >> >> We don't copy back for all commands, only those that are COPY_BACK. > > Not sure what you mean. Is it harmful to copy back the data for the others > in any way? Otherwise I wouldn't micro-optimize this. I should have checked the original commit for fallback.c --- the code that it replaced was doing copybacks for all hypercalls and selective copybacks is an optimization introduced in that commit. -boris