Received: by 10.223.176.5 with SMTP id f5csp1745935wra; Sun, 4 Feb 2018 11:03:57 -0800 (PST) X-Google-Smtp-Source: AH8x224GhHcmX/PlHay+MZvdY9Bi4brw/mkSLf5hbJuFnKjfafxnR/8AeVWNb7NKbVaJnsaXPt7w X-Received: by 2002:a17:902:5688:: with SMTP id j8-v6mr25460876pli.423.1517771036991; Sun, 04 Feb 2018 11:03:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517771036; cv=none; d=google.com; s=arc-20160816; b=kY5hfsAdVhEBPTctvDJCniQhpBAH67r7secF6UZNuc1W8+dBzOnQM1obr0/Aw+Hfxs yCcKseVfg4YdFQNNO3pxAfwJdni6R972c2tV8j91ID+nYhINwGvtmhChVVQpqcO0xDsP AdPfMGtHjXqwRmbljkHknSw9cuFWvPZ4tpUIBxcM9cUU+eDT6nZ49IFZg7ZFHkWp5HOF mkJaMpk6FJHuk1MerXUZ8jW05yqFRNuD4F1epWf7OOtX9UgP7kBNlBY89kVMUmIERtOe 5N1fBYtp6y2WXJI1Wc03Ap1ts9XKY3yufJAPtyOM+NCb6DPsAB9nsMMsofXP+HO5Z5pm IPlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=Wh32W5dBw2uXGN9m2a6D4+LXzFvHB9crFMijfJhInEE=; b=ipJsfKEc4cKF5mPZvmK/+Pca1tSaZYZdX83p0ZCF/CWYHnx7uAfaowmpPEltxnXCbO FE7eb+csyH4/UtAfdj5Dv85CXqg1kvQwhnNszJ48X2ViQdQcQ5zaKzCocMz1pQtWhoB1 vldqL6AVmvjQbK7Os1agWOpW70hECq9AGemX0a24XGx5V5xt/oAILXc9bAlUkp4B2hvQ 2YoMiC5U0d4S1TIrPvzG28Y3XXkfz47IpucfHVQi6pg7V1oVzxoNj37yqfV8TDhyGLsI odPd/86x70jcuaF6mKbuKMcU2o3KKL/WKmNXdiwiOTd65+256Tw5fAj2XhjQfYwz5lAv iwzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=vpn0VTJE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w22si4478246pgm.799.2018.02.04.11.03.29; Sun, 04 Feb 2018 11:03:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=vpn0VTJE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752118AbeBDS77 (ORCPT + 99 others); Sun, 4 Feb 2018 13:59:59 -0500 Received: from aserp2130.oracle.com ([141.146.126.79]:42200 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751577AbeBDS7w (ORCPT ); Sun, 4 Feb 2018 13:59:52 -0500 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w14Ivrq9081924; Sun, 4 Feb 2018 18:59:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=Wh32W5dBw2uXGN9m2a6D4+LXzFvHB9crFMijfJhInEE=; b=vpn0VTJEVnIFrWFma/CEYNEzus9o7GXQJPJMbOUYUQ5Z7xjhKPIyA9lLrLQXJxDlLil9 U0hrGEPiqqpi79YZt5pfdwnGhKQVg4VMab0om9oNPLkUXpFJqL4105jkVKof953BNqmT jtIjJcSxoDSjwiiVkikZlNvJ+GepE4jN+U+KbfKPcZ4DU5Urqn3HlOq08huhfRfngfex TsGlzw1gFEJPqwPBZiRy3k/oG7slbq7p2yS49KuYbosSMRM0KScMb/wmOOa64lIiCM3/ o6vGPzms8p3e6h4wlkLGwF931w09vWur+ulF5nhRAMZ7KciXs5rZiFCDkremUhGpqXMN Aw== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2130.oracle.com with ESMTP id 2fx7t480k9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 04 Feb 2018 18:59:43 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w14ItXQm012167 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sun, 4 Feb 2018 18:55:33 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w14ItWEa031531; Sun, 4 Feb 2018 18:55:32 GMT Received: from [10.39.214.146] (/10.39.214.146) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 04 Feb 2018 10:55:32 -0800 Subject: Re: [PATCH] xen: hypercall: fix out-of-bounds memcpy To: Arnd Bergmann Cc: Juergen Gross , Nicolas Pitre , Andi Kleen , Dan Carpenter , Jan Beulich , xen-devel , Linux Kernel Mailing List References: <20180202153240.1190361-1-arnd@arndb.de> <1e3424f4-771b-51ad-3630-0faf47e388e0@oracle.com> From: Boris Ostrovsky Message-ID: <87946d71-5c94-1045-2e96-347423820d5c@oracle.com> Date: Sun, 4 Feb 2018 13:55:25 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8795 signatures=668662 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802040253 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/04/2018 10:35 AM, Arnd Bergmann wrote: > On Sat, Feb 3, 2018 at 6:08 PM, Boris Ostrovsky > wrote: >> >> On 02/03/2018 10:12 AM, Arnd Bergmann wrote: >>> On Sat, Feb 3, 2018 at 12:33 AM, Boris Ostrovsky >>> wrote: >>>> On 02/02/2018 10:32 AM, Arnd Bergmann wrote: >>>>> The legacy hypercall handlers were originally added with >>>>> a comment explaining that "copying the argument structures in >>>>> HYPERVISOR_event_channel_op() and HYPERVISOR_physdev_op() into the local >>>>> variable is sufficiently safe" and only made sure to not write >>>>> past the end of the argument structure, the checks in linux/string.h >>>>> disagree with that, when link-time optimizations are used: >>>>> >>>>> In function 'memcpy', >>>>> inlined from 'pirq_query_unmask' at drivers/xen/fallback.c:53:2, >>>>> inlined from '__startup_pirq' at >>>>> drivers/xen/events/events_base.c:529:2, >>>>> inlined from 'restore_pirqs' at >>>>> drivers/xen/events/events_base.c:1439:3, >>>>> inlined from 'xen_irq_resume' at >>>>> drivers/xen/events/events_base.c:1581:2: >>>>> include/linux/string.h:350:3: error: call to '__read_overflow2' declared >>>>> with attribute error: detected read beyond size of object passed as 2nd >>>>> parameter >>>>> __read_overflow2(); >>>>> ^ >>>>> make[3]: *** [ccLujFNx.ltrans15.ltrans.o] Error 1 >>>>> make[3]: Target 'all' not remade because of errors. >>>>> lto-wrapper: fatal error: make returned 2 exit status >>>>> compilation terminated. >>>>> ld: error: lto-wrapper failed >>>>> >>>>> This changes the functions so that each argument is accessed with >>>>> exactly the correct length based on the command code. >>>>> >>>>> Fixes: cf47a83fb06e ("xen/hypercall: fix hypercall fallback code for >>>>> very old hypervisors") >>>>> Signed-off-by: Arnd Bergmann >>>>> --- >>>>> drivers/xen/fallback.c | 94 >>>>> ++++++++++++++++++++++++++++---------------------- >>>>> 1 file changed, 53 insertions(+), 41 deletions(-) >>>>> >>>>> default: >>>>> - WARN_ON(rc != -ENOSYS); >>>>> - break; >>>>> + return -ENOSYS; >>>>> } >>>>> >>>>> + memcpy(&op.u, arg, len); >>>>> + rc = _hypercall1(int, event_channel_op_compat, &op); >>>>> + memcpy(arg, &op.u, len); >>>> >>>> >>>> We don't copy back for all commands, only those that are COPY_BACK. >>> >>> Not sure what you mean. Is it harmful to copy back the data for the others >>> in any way? Otherwise I wouldn't micro-optimize this. >> >> >> I should have checked the original commit for fallback.c --- the code that >> it replaced was doing copybacks for all hypercalls and selective copybacks >> is an optimization introduced in that commit. > It was not an optimization but a correctness fix to avoid overflowing > the caller stack on the copy-back operation. What I tried to explain > in my commit message is that the same fix is also needed on > the copy-out before it. It's only a read access beyond the end > of a local variable, but not both the static checks and kasan-stack > get alarmed about it. > Yes, I understand that. I was referring to:     Move the fallback code into out-of-line functions, and handle all of     the operations known by this old a hypervisor individually: *Some don't     require copying back anything at all*, and for the rest use the     individual argument structures' sizes rather than the container's in the original commit. I.e. prior to that commit we *were* copying back for all commands (although possibly with potentially incorrect size). So not copying back for some commands was an optimization. In any case, Reviewed-by: Boris Ostrovsky