Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp812436pxy; Wed, 21 Apr 2021 16:04:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2Ba/01BcYlBv8h/Nm8U0g7Pk5VPEACPmw1pv278nxym4HG8Hf664CPLioMKeCxGDFMk5z X-Received: by 2002:a17:90a:8816:: with SMTP id s22mr13591824pjn.25.1619046261889; Wed, 21 Apr 2021 16:04:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619046261; cv=none; d=google.com; s=arc-20160816; b=bRe97+Cm7ydgZUnfcFdenClObvZDy4+oIO5A7DES4BmH+gcoAO609jojKqjeLZvAal ZD65i3q4Rd2yXp0NaAWxXFn64Y+oEm55pRbNX9ohSj2wqtin3b7t67IJSeZR40buDGwt qd85TOm9Onw3NycjzLxhO7uExnuysfzMb+HEYIQawBJiAnSeigypgHzMI78baaMBOTDZ /hJL5e7e3yvfgNB3nsYj8sopb/lu2SGhdap7uei01efQtg6+uoDK7Qz1Pxl8v+iy0thR SkO9MWhAJhQGAghM6UuxIzA+crbP8+PfdUtivEq0aiz0iIwul52thK8Wm0nYKuCzU/oE WSUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:references:message-id:date:subject :from:to; bh=TSHRG+6P0o6sppPca9DoQwtRSBWtXssTDdIt47ITX3g=; b=zCyVIK0JWRQSxZNtz7IqX/+Id9YaZrcMJyRZ5sqrNO5rdEE+JVBuu0CFwUOyRsy5qa vjkUQcWbVvWNN7erLTWwtAkbgK6J5cDyuaTK1kkYzDOymrstjN5DFCzkXimKX4IL+475 xNo1KLCWNtxrumcbdnRK3P/U+h8UoURwEm5keH5UPS23Igkb01a1YhkfW240/opah0iP Q+7UYymNsLU79VZVhGtHwicaZuYASyJi2Wh7ekqNxNpxpKq9G9b7oGqQ3UxNTA0xDf34 /cmfabHp0pn2vyA8jTcL0l2LY2gGprIa34d3uSHz7w4QGqMY7llNo6mav3pfQ358t05z B21g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q36si944567pgl.469.2021.04.21.16.04.07; Wed, 21 Apr 2021 16:04:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243457AbhDUPUj (ORCPT + 99 others); Wed, 21 Apr 2021 11:20:39 -0400 Received: from ciao.gmane.io ([116.202.254.214]:40106 "EHLO ciao.gmane.io" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234308AbhDUPUh (ORCPT ); Wed, 21 Apr 2021 11:20:37 -0400 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1lZEe2-0005hj-2h for linux-kernel@vger.kernel.org; Wed, 21 Apr 2021 17:20:02 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: linux-kernel@vger.kernel.org From: Tavis Ormandy Subject: Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once" Date: Wed, 21 Apr 2021 15:14:29 -0000 (UTC) Message-ID: References: <20210421130105.1226686-1-gregkh@linuxfoundation.org> <20210421130105.1226686-187-gregkh@linuxfoundation.org> User-Agent: slrn/pre1.0.4-5 (Linux) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-04-21, Greg Kroah-Hartman wrote: > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba. > > - *((struct vbg_ioctl_hdr *)buf) = hdr; > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), > - hdr.size_in - sizeof(hdr))) { > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) { > ret = -EFAULT; > goto out; > } This one seems like a real bugfix, otherwise there's a double-fetch from userspace, and a TOCTOU with the hdr fields that could cause a OOB read. Reviewed-by: Tavis Ormandy Tavis. -- _o) $ lynx lock.cmpxchg8b.com /\\ _o) _o) $ finger taviso@sdf.org _\_V _( ) _( ) @taviso