Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3807333pxy; Mon, 26 Apr 2021 10:11:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx9hlXSEHz1ZNCu3ZRwh0jJLOT5AzT1gezBk7/7hTN6FHDySLBiP9Jk1NGe2pGXVWT8Ul8R X-Received: by 2002:a63:af03:: with SMTP id w3mr11059002pge.325.1619457080225; Mon, 26 Apr 2021 10:11:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619457080; cv=none; d=google.com; s=arc-20160816; b=K08zQu+BD6wCaaoK40I/eguJjpx0CY5ar0yDMbk3iihO2S7PezH23tbSe6Y4AKeNBl S8LgvtdyMaepV6U05/usS96TeBUQknuSGDiraRijWLYZapGuH6KugZTEwolA/ceQxWlL vIDXjra7994uIf2Sehkm4ocpb8NVAeu9SsKW5yn3AXklWghRuxhmuUnnLuZ6U13rfh3D TEngnviZ1ifQHAyMlWiA9Z23IbxAWE39JzeB9SLcu6+G7rg4dRoXbDlS6//elxz6J+S6 3Xs2+H5MVDdMiu70VCJ/oxI/xxv0Uh8nVcJSHxtm0oUxwyL4EwNEi3JZC9bi6Y1YGSbG nK3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=e9veyIScF8CL/6AWTMcr7qnVLsGD6BoZJWMyNDFNmqY=; b=Qd9X/GvS39XYQdLx0VN+pAGhNONBpBErZQh5yLOmqezjcznYShcEqvb/0lzGjLVtBd yapBa2V316LRra7Q2tNwMn948xDyibfAiyk+Muyplz3CrETKpQaKZlc72GtBrQUNb4KB ZL6I3NctyxDlV0dyHrN7RcJjeTVCprlYUDJYAJg7oF0KnussP+yT/aJxyhd1SoqZLBM8 tXBN0sfezXh3j4Io6U5SZMyaxuKZu8UgO6bFgPj19DA58OjLLFrpL02wYDsSSPrvkigR 1cEDc6VhoH3n7pl/6xGQAPM/YiCSSa8SHBpaypGNKJ0NK83mpwraufX11XAvJzjCBiR5 tpxg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w2si18137924pgs.448.2021.04.26.10.11.07; Mon, 26 Apr 2021 10:11:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235298AbhDZRKr (ORCPT + 99 others); Mon, 26 Apr 2021 13:10:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:53208 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235341AbhDZRJD (ORCPT ); Mon, 26 Apr 2021 13:09:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CB85961077; Mon, 26 Apr 2021 17:08:19 +0000 (UTC) Date: Mon, 26 Apr 2021 19:08:17 +0200 From: Greg KH To: Al Viro Cc: Tavis Ormandy , linux-kernel@vger.kernel.org Subject: Re: [PATCH 186/190] Revert "virt: vbox: Only copy_from_user the request-header once" Message-ID: References: <20210421130105.1226686-1-gregkh@linuxfoundation.org> <20210421130105.1226686-187-gregkh@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 22, 2021 at 01:16:01AM +0000, Al Viro wrote: > On Wed, Apr 21, 2021 at 03:14:29PM -0000, Tavis Ormandy wrote: > > On 2021-04-21, Greg Kroah-Hartman wrote: > > > This reverts commit bd23a7269834dc7c1f93e83535d16ebc44b75eba. > > > > > > - *((struct vbg_ioctl_hdr *)buf) = hdr; > > > - if (copy_from_user(buf + sizeof(hdr), (void *)arg + sizeof(hdr), > > > - hdr.size_in - sizeof(hdr))) { > > > + if (copy_from_user(buf, (void *)arg, hdr.size_in)) { > > > ret = -EFAULT; > > > goto out; > > > } > > > > This one seems like a real bugfix, otherwise there's a double-fetch from > > userspace, and a TOCTOU with the hdr fields that could cause a OOB read. > > ACK, except that typecasts in there are messy as hell. But that's, > alas, consistent with the rest of the function... > > Patch itself is correct, and AFAICS Wenwen Wang > might be an innocent collateral damage from that mess - commits from that > source appear to be fairly well-written. I've dropped it from my tree now, thanks for the review. greg k-h