Received: by 10.192.165.148 with SMTP id m20csp4352750imm; Tue, 8 May 2018 07:10:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqYhcToCHuygzEvhSYD+JA9g1Gbx0H1en/Vv8frM6B0O5PsBpCNAd2Juzmn7SmrM1CZGeQL X-Received: by 10.98.247.19 with SMTP id h19mr30176338pfi.165.1525788625401; Tue, 08 May 2018 07:10:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525788625; cv=none; d=google.com; s=arc-20160816; b=WhUQuZCPLTSPGzVQWYHFscUBKcSwe675qCen4JsirhsoPMRE7Av4habvvBYoc1tCPn maAY4pRMjbFPmJlLmfGLDJEBty+ICYOqioD2OvFgMkFOcRG2noMi+t2Vfr2SiHmYVi6v AOP4U0jZ2ktDu/hCOEZMeDheT2J8VCJAxJQ0XlV3WGZxlxRaK/jp5q4dg6ygClIzCq/U WBvQMmxjUoHvowN7BAIXTJNMV+UHmSxW1dUdsf8GJLTxqJlf6tSI+zUyA+zomByqsH2R zTo++Cin1jihkhKVVXmWFfwpFx2XauhjnIRPqsmKOPl9xUj9NqURhcgs2bzbuPS91lXX mjSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=cdwZAlYokpQrfD6O/8h7EK5gexyKZnIu5EzNLjqog38=; b=0D5m3tQf4bsB/oPJEy6DQKwFWozx5N6ruZkE3FjQJp/aRfwRaA2ai8HmpxVqfzKIjC kCD2/VM/3H2xtqius8jpgVrsws8FbBqSJCxjrdUrP2TmCYgzF+h/TGZRDaBrXZ2Rtuvx 2ysZvki0ECJHiICaEzyGA/eICxvWR2EapO5Zp80q4Jbkixf0/o+QPoqOKi1cR2rgx3js BpV+tUPh/qRJMllps9onFLNRAbSVkr5UgEYqjyAlo3HvP4KiVTJJrZy4NK1BK9LTJmOP irjsG9moHCHIzjtwrJrRWBM3ZYkAUx0B2+TpW01zvbiUaIruMTUZbVTU3aLsRuv+HCJ/ 9g1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2-v6si25325340pli.569.2018.05.08.07.10.08; Tue, 08 May 2018 07:10:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755319AbeEHOJ0 (ORCPT + 99 others); Tue, 8 May 2018 10:09:26 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:35437 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752563AbeEHOJZ (ORCPT ); Tue, 8 May 2018 10:09:25 -0400 Received: by mail-wm0-f68.google.com with SMTP id o78-v6so21887326wmg.0 for ; Tue, 08 May 2018 07:09:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=cdwZAlYokpQrfD6O/8h7EK5gexyKZnIu5EzNLjqog38=; b=TzViJxVWpKJgM2jrojkegHiGT7AGn2xtb+vDXDbGJl5PSUaAQ2lUGmrPS8OMfC2R/N NKB49LmLcUQ0bL9Uhe1aKsSIoxYf2lEKN38JyN8/0PulbvG0uH0CTfw7b2T/ykwOGyrl 6+hEY7FdLBzH5N2laE6vd0A9GBBGVEEtNWvQL8qfIhj6dOw9ovNkopB0VHFcySVJOHAD S1IOCYMdPVRC+E1WZaCzIsUCXS+NW2pXODwsJIjI+p5diFjJNHQDGUKG2Ij84o3WPbAi HTOMENOaqugWEPmX7zow1sI7TszNVfINxxaMJ7Zl3aB6DnJvSJ1QxJQ490rDsTVxr4/X wllw== X-Gm-Message-State: ALKqPwfXYX1Sl/MuCHuYS6pnBMbL7HNLCYE0D3zPkxyNOX1SMiImWjek jCQPfsUh9ISNWLth/Q1uxV9fJ6966zE= X-Received: by 10.28.87.21 with SMTP id l21mr3678968wmb.54.1525788564408; Tue, 08 May 2018 07:09:24 -0700 (PDT) Received: from shalem.localdomain (546A5441.cm-12-3b.dynamic.ziggo.nl. [84.106.84.65]) by smtp.gmail.com with ESMTPSA id n73-v6sm26894000wrb.18.2018.05.08.07.09.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 May 2018 07:09:23 -0700 (PDT) Subject: Re: [PATCH v2] virt: vbox: Only copy_from_user the request-header once To: Wenwen Wang Cc: Kangjie Lu , Arnd Bergmann , Greg Kroah-Hartman , open list References: <1525787428-26702-1-git-send-email-wang6495@umn.edu> From: Hans de Goede Message-ID: <61964ea9-dfa9-33d3-80fe-2cc54e1727de@redhat.com> Date: Tue, 8 May 2018 16:09:23 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <1525787428-26702-1-git-send-email-wang6495@umn.edu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 08-05-18 15:50, Wenwen Wang wrote: > In vbg_misc_device_ioctl(), the header of the ioctl argument is copied from > the userspace pointer 'arg' and saved to the kernel object 'hdr'. Then the > 'version', 'size_in', and 'size_out' fields of 'hdr' are verified. > > Before this commit, after the checks a buffer for the entire request would > be allocated and then all data including the verified header would be > copied from the userspace 'arg' pointer again. > > Given that the 'arg' pointer resides in userspace, a malicious userspace > process can race to change the data pointed to by 'arg' between the two > copies. By doing so, the user can bypass the verifications on the ioctl > argument. > > This commit fixes this by using the already checked copy of the header > to fill the header part of the allocated buffer and only copying the > remainder of the data from userspace. > > Signed-off-by: Wenwen Wang Thanks, looks good: Reviewed-by: Hans de Goede Regards, Hans > --- > drivers/virt/vboxguest/vboxguest_linux.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/virt/vboxguest/vboxguest_linux.c b/drivers/virt/vboxguest/vboxguest_linux.c > index 398d226..6e2a961 100644 > --- a/drivers/virt/vboxguest/vboxguest_linux.c > +++ b/drivers/virt/vboxguest/vboxguest_linux.c > @@ -121,7 +121,9 @@ static long vbg_misc_device_ioctl(struct file *filp, unsigned int req, > if (!buf) > return -ENOMEM; > > - if (copy_from_user(buf, (void *)arg, hdr.size_in)) { > + *((struct vbg_ioctl_hdr *)buf) = hdr; > + if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), > + hdr.size_in - sizeof(hdr))) { > ret = -EFAULT; > goto out; > } >