Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp2655130rwe; Sun, 28 Aug 2022 18:35:32 -0700 (PDT) X-Google-Smtp-Source: AA6agR5tZ6um2Mv1OtgG3WunGs99bunnyPegZ4eJnhhOjI9AyWXxTvff4RrJzYfLpz6TTYOdQHxB X-Received: by 2002:a05:6a00:2446:b0:528:5da9:cc7 with SMTP id d6-20020a056a00244600b005285da90cc7mr14560799pfj.51.1661736931777; Sun, 28 Aug 2022 18:35:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661736931; cv=none; d=google.com; s=arc-20160816; b=KeiViZvlqcJ/rjWR5UL78h3saheNjYnl8Ji5PI2L0e+6U9zbo/GPAkU0xgOn+MAw3I BZj5PGUIt6ccIZ4JH4Z1HiOfhIHXFQkdU6b1P9zzhPKnJEm+rQeRzy6pqbQcC1B2+MU2 MN/zin9q/H8t8y8scuRyUaz8odb8pU+JlbPcCFs9aGkfStX714EobgdaEchBRAm7y7Mv kE2BlUmPpj5Bmjo/0ONgPm2NFP7tmBHq0YOXCmrD8rdVvuKiENDLySa3jhnoKf36YGgM oz2dH6IkxaEH3daKyAikDB/uT5XOf5rau4m/BVLWPNEVjnSYCPdNqyBUpK7aeqlUWwxi A7KQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=TykdAivd2LEYHVOXlU8fC3DRzq2oxD33Z0Ct9UAkNAo=; b=A2VneVMkTqw1nkT+b3b4/YVV1AKT2LW7S5tc4U/KLCO4ADL78v9NjBbYYf/2HtUTG/ QEkRVsRiYP9rEBnIosEUzmktPIm0s8YnhMa8ek3RpqXIQoNa7a5En080ZlrzrSfVCH2s 7QGlZoQLWn7ECo7Uk5wYScsp1tOUeP75sRBAk7W2kTCdwj+OEiwfiSfoKaF/S8Oj8FFt VXT8Xc5tWOpwxt8rf4v/RrqFyjrzmsIxHp4Yk/1rZW436i88HsCmShrTap+n7AFgZTWg CG0xRhtOQIuVrsuv3zq2TrJcyJXgT0yDE2Jk+b437ARUAJesWSbcU+5QHbOMrw7Xi7T5 fOAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iVDj6C3d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ns11-20020a17090b250b00b001fb0337f850si7538925pjb.32.2022.08.28.18.35.20; Sun, 28 Aug 2022 18:35:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iVDj6C3d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229600AbiH2Aof (ORCPT + 99 others); Sun, 28 Aug 2022 20:44:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbiH2Aod (ORCPT ); Sun, 28 Aug 2022 20:44:33 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 851C5101E2 for ; Sun, 28 Aug 2022 17:44:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661733871; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=TykdAivd2LEYHVOXlU8fC3DRzq2oxD33Z0Ct9UAkNAo=; b=iVDj6C3dBNdHNDojWQAwBFievRU0scpys2cZ5q/v6vGDS/x/VI+L1H00nm6auBh3XHyQLC DRnM7BK3uY6cxWNcplvnfxCUn/Wktr/RwVBwL3pXNnNyFIx0m9A1FWRaOQv42oXTgdSZf2 ofSytRmWZ4CcFNmq7COJXdCpXcldv30= Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com [209.85.167.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-508-ZB9xtelQMDOKDE6cKCXSnA-1; Sun, 28 Aug 2022 20:44:30 -0400 X-MC-Unique: ZB9xtelQMDOKDE6cKCXSnA-1 Received: by mail-lf1-f70.google.com with SMTP id w18-20020ac25d52000000b0048af13b6ef6so1560520lfd.7 for ; Sun, 28 Aug 2022 17:44:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=TykdAivd2LEYHVOXlU8fC3DRzq2oxD33Z0Ct9UAkNAo=; b=p4/VzYgJ92fo6tMxfdxfFmkqXV9CPFF3fDErJWb3HWCWfJlaNCJb4qlwNfsFUsE0tQ 4CSIHY0PZbyu6GzygIZj1i0RI/bdrZC7/MGSoO23tCpiM0RfqJXgkTmRh1/j9uIjKrOI JKe8miEfHG3IxKsw54cQQSFJyIEqjLJDMMYgSKeGZBt2nzm0sZX+ynwAeOhoIPR8ns0M JHRnLgS1ZAUEZ2vpz3DwPUFbjDRMGzv2+6DpwJV36RGpzGH5EHO4MCtGi1ilSTg404Vf /gue8jXzekd2i8Vg+xVPXwSasFEVJEshTpIYjHh9/Ec/xYVmOX7aHbTb3X9Qeif2DVm6 8h9w== X-Gm-Message-State: ACgBeo32dds/c9rf+mV0Ptb7JGm1/bR4PEOpPm7YUWucxSH8u3kch1dv 7LB2yWGDRDVuN/NNtfnq2ztnyaKAFRigqxdBQjqMhUl9ORvyj/LOB47hD+UAnE3lm+ve7qleF0B +V4xTrAF8KHSlhT3gg9DFistDtaMt+T+/7G62DHtb X-Received: by 2002:a05:6512:1518:b0:492:d08a:a360 with SMTP id bq24-20020a056512151800b00492d08aa360mr6380631lfb.238.1661733868733; Sun, 28 Aug 2022 17:44:28 -0700 (PDT) X-Received: by 2002:a05:6512:1518:b0:492:d08a:a360 with SMTP id bq24-20020a056512151800b00492d08aa360mr6380627lfb.238.1661733868575; Sun, 28 Aug 2022 17:44:28 -0700 (PDT) MIME-Version: 1.0 References: <20220826161605.559317-1-maxime.coquelin@redhat.com> In-Reply-To: <20220826161605.559317-1-maxime.coquelin@redhat.com> From: Jason Wang Date: Mon, 29 Aug 2022 08:44:17 +0800 Message-ID: Subject: Re: [PATCH] vduse: prevent uninitialized memory accesses To: Maxime Coquelin Cc: linux-kernel , virtualization , Eli Cohen , Guanjun , Parav Pandit , Gautam Dawar , Dan Carpenter , Yongji Xie , mst Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 27, 2022 at 12:16 AM Maxime Coquelin wrote: > > If the VDUSE application provides a smaller config space > than the driver expects, the driver may use uninitialized > memory from the stack. > > This patch prevents it by initializing the buffer passed by > the driver to store the config value. > > Signed-off-by: Maxime Coquelin Acked-by: Jason Wang > --- > drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index 41c0b29739f1..35dceee3ed56 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -673,10 +673,15 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset, > { > struct vduse_dev *dev = vdpa_to_vduse(vdpa); > > - if (offset > dev->config_size || > - len > dev->config_size - offset) > + /* Initialize the buffer in case of partial copy. */ > + memset(buf, 0, len); > + > + if (offset > dev->config_size) > return; > > + if (len > dev->config_size - offset) > + len = dev->config_size - offset; > + > memcpy(buf, dev->config + offset, len); > } > > -- > 2.37.1 >