Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp61150pxy; Wed, 21 Apr 2021 18:32:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxh5c9yKFiOha4Dx26PF3NG8EF0wJ2HLJo00cadWlCoJXAS+4BSQ4/yD0l1EvamDEm4rTRS X-Received: by 2002:a17:902:e843:b029:eb:8aff:360 with SMTP id t3-20020a170902e843b02900eb8aff0360mr1072448plg.1.1619055131226; Wed, 21 Apr 2021 18:32:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619055131; cv=none; d=google.com; s=arc-20160816; b=G4K2/lRDsXTN0+9lzVckCetHYkWNr6pwdbla3vxIE30WTG+D673XgTbZl03xuYdU+c oT5NxHJ3ScXvayMazC3r9yUjOPCJEV5yrynvp+kGIZoCu6evhONMhYg7202xX+NCocLo rxc7LjWRsrweaYfA5PJ0H2yGEe4ByMoerMXiiCZuaz9pv5FmVzQ0XuZXEE5gGM+m8N7X ototCSpLtLVPegvEVcA1I079WlneMKLUQ/Gx39WQNJJ0zmxsAcbLX5j0pTz7y9f28Qn/ bsjv1jVASK5NloFqLaBLk4IK8/+VeA9vaWj5zfvlEdttb6J2jDmc5ldsP1AJV/n9yVyQ x7rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=JtO1Ov3e/8oGZb/GuK8kHNFs2Oumd7Iby/GBRCwNNtU=; b=AVh8BZn3tJVRAVpouQjtnHLJjdD7YZi8Oabv0rwZ8rsTk+E/iY4mu11tsRWn0Pp3ks zC/N4WhY2Q6ntNt145tU8KWXLnFlVM+acggEER4cxsr0tkasYqjEVfFTaNpI92zLKePv T8CjJR0uWWqwEI5SvJC8VablkaiIbWJuLzsbo1cr838FL/gLe1zb/CC5CENXl8fymxYe Sr+LgfKkCGyLtvo3epwdxrag5xEmu81Qjz/AbqoBX8XOKdcwNrSLrTXEAgJhWv0f5NQt fJKiV2dc7KbTN1CXTjB6jphk1JC4bgVH7NSIxE5tkkIlS5AC0XrvrBmQ5LFjpK9zTyaH yBOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k15si1492917pgt.20.2021.04.21.18.31.59; Wed, 21 Apr 2021 18:32:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237904AbhDVBQg (ORCPT + 99 others); Wed, 21 Apr 2021 21:16:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235242AbhDVBQg (ORCPT ); Wed, 21 Apr 2021 21:16:36 -0400 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51279C06174A for ; Wed, 21 Apr 2021 18:16:02 -0700 (PDT) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux)) id 1lZNwn-007BKe-42; Thu, 22 Apr 2021 01:16:01 +0000 Date: Thu, 22 Apr 2021 01:16:01 +0000 From: Al Viro To: Tavis Ormandy Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once" Message-ID: References: <20210421130105.1226686-1-gregkh@linuxfoundation.org> <20210421130105.1226686-187-gregkh@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 21, 2021 at 03:14:29PM -0000, Tavis Ormandy wrote: > On 2021-04-21, Greg Kroah-Hartman wrote: > > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba. > > > > - *((struct vbg_ioctl_hdr *)buf) = hdr; > > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), > > - hdr.size_in - sizeof(hdr))) { > > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) { > > ret = -EFAULT; > > goto out; > > } > > This one seems like a real bugfix, otherwise there's a double-fetch from > userspace, and a TOCTOU with the hdr fields that could cause a OOB read. ACK, except that typecasts in there are messy as hell. But that's, alas, consistent with the rest of the function... Patch itself is correct, and AFAICS Wenwen Wang might be an innocent collateral damage from that mess - commits from that source appear to be fairly well-written.