Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3804054imm; Mon, 8 Oct 2018 09:45:34 -0700 (PDT) X-Google-Smtp-Source: ACcGV60sn78FhW31mDUDyD65mAPMRabK/Iqf+7jKXCbgLH64+uOHEQa2F7SegnbsI0f6B6mXNf9q X-Received: by 2002:a63:a09:: with SMTP id 9-v6mr21887955pgk.318.1539017134214; Mon, 08 Oct 2018 09:45:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539017134; cv=none; d=google.com; s=arc-20160816; b=ZW/sWWWnDzeMB0j1vnkGD5/R6HizuIYJ2/6fSa6Pmanb6FqBVjg2/+6gpNtF4I/9KG CMc1mNfyeZGdmrTUue1UBU/DXWdlbBxdLHO/Wn+HehVU5mYGm372zQDnLfr1VI72/Dq6 dAJ9FHDREnAQf3oSF6jt5WmxYjXJi7Gw+zMLAxA3SDsiVAxAhxjqtmg80d3+y7LerYH/ CD3Dn5hJt/OybABLQalp2tv7o6zrQL0Xjc5Jn6abgBK7kqkhWyVMHYC1EP+liMFgjtDX 5/WzBd001gOKHATkqa8tlJt4u4R2456ILrfRFxUyux7zwTf9nnsumy/nSZdj7l3lqcBk Gsxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=51mFNbyzUuJ/ZGa9b3nU0oybKAstkUGz2S2wL5ufutU=; b=AOPnSmUsVx5xqswoA2oygTd/5F//quUu5Ywq0tG7GtO5klWrTXM2FzA4VOCQfw/XMX YHRRowpLf0+zn7/ahxFtLhboH8IZgKkcPX7qSudaFWF20/+mcVo9DZdO6VppPOG1i2g8 KTwORESE+mi7NnsmL4axHoa7E6Kmvh2nUZBhqeOjzzJWXn7St1/p7rk2jHW2iksIES0M dizFKep8CuhktvrZyS4WLk86rm+DkaMJdYg6zAcS3WIWnQR1GjOIP8K9/aqJLLnDt/bg G4FXfu5HC0TepqA8fExNgqRGQNRGB+Sjavyb6Ea8Yhttl2YW51muks7UTXARLP1mj7pa FhfQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b35-v6si18893552plh.308.2018.10.08.09.45.18; Mon, 08 Oct 2018 09:45:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726563AbeJHX41 (ORCPT + 99 others); Mon, 8 Oct 2018 19:56:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:43470 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726348AbeJHX40 (ORCPT ); Mon, 8 Oct 2018 19:56:26 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1F4183097030; Mon, 8 Oct 2018 16:43:52 +0000 (UTC) Received: from w520.home (ovpn-116-90.phx2.redhat.com [10.3.116.90]) by smtp.corp.redhat.com (Postfix) with ESMTP id C484C2008114; Mon, 8 Oct 2018 16:43:51 +0000 (UTC) Date: Mon, 8 Oct 2018 10:43:50 -0600 From: Alex Williamson To: Wenwen Wang Cc: Kangjie Lu , kvm@vger.kernel.org (open list:VFIO DRIVER), linux-kernel@vger.kernel.org (open list) Subject: Re: [PATCH] drivers/vfio: Fix a redundant copy bug Message-ID: <20181008104350.7776c729@w520.home> In-Reply-To: <1538923466-29705-1-git-send-email-wang6495@umn.edu> References: <1538923466-29705-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Mon, 08 Oct 2018 16:43:52 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Sun, 7 Oct 2018 09:44:25 -0500 Wenwen Wang wrote: > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP, > the user-space buffer 'arg' is copied to the kernel object 'op' and the > 'argsz' and 'flags' fields of 'op' are checked. If the check fails, an > error code EINVAL is returned. Otherwise, 'op.op' is further checked > through a switch statement to invoke related handlers. If 'op.op' is > VFIO_EEH_PE_INJECT_ERR, the whole user-space buffer 'arg' is copied again > to 'op' to obtain the err information. However, in the following execution > of this case, the fields of 'op', except the field 'err', are actually not > used. That is, the second copy has a redundant part. Therefore, for both > performance and security reasons, the redundant part of the second copy > should be removed. Redundant, yes. Performance-wise it's 12 bytes on a non-performance path, so theoretically yes, but in practice maybe it's a simplicity trade-off. Security? I don't see it, please explain. > This patch removes such a part in the second copy. It only copies the 'err' > information from the buffer 'arg'. > > Signed-off-by: Wenwen Wang > --- > drivers/vfio/vfio_spapr_eeh.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/drivers/vfio/vfio_spapr_eeh.c b/drivers/vfio/vfio_spapr_eeh.c > index 38edeb4..5bc4b60 100644 > --- a/drivers/vfio/vfio_spapr_eeh.c > +++ b/drivers/vfio/vfio_spapr_eeh.c > @@ -86,10 +86,10 @@ long vfio_spapr_iommu_eeh_ioctl(struct iommu_group *group, > ret = eeh_pe_configure(pe); > break; > case VFIO_EEH_PE_INJECT_ERR: > - minsz = offsetofend(struct vfio_eeh_pe_op, err.mask); > - if (op.argsz < minsz) > + if (op.argsz < sizeof(op)) > return -EINVAL; The original code is written such that new operations can be added, possibly with new entries in the struct vfio_eeh_pe_op union, which might change sizeof(op) to be more than necessary for a VFIO_EEH_PE_INJECT_ERR op. Existing userspace suddenly wouldn't work without effectively reverting this change. This is a subtle dependency that is not worth the above code change, imo. > - if (copy_from_user(&op, (void __user *)arg, minsz)) > + if (copy_from_user(&op.err, (char __user *)arg + > + minsz, sizeof(op.err))) > return -EFAULT; Please rework with the assumption that the union in struct vfio_eeh_pe_op can be expanded and must not break existing userspace. Thanks, Alex