vfio: checking of validity of user vaddr in vfio_dma_rw

Message ID	20200408071121.25645-1-yan.y.zhao@intel.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=FdSL=5Y=vger.kernel.org=kvm-owner@kernel.org> IronPort-SDR: 9qIDK1VANMo4fNW2iwJjwnAkj1z7jP6FOBMh6kWDgDY4jjZcy8eTKgE6LkMWXLKODx8tXrlzYz r0FJbG0w8c6Q== IronPort-SDR: 8DU0rS43X0+q9dh1hmnTkwwNvy5G+AJbotvfyHkVhAtAtrkAB6SWCe/akFWTK0FC7Hnr2U7p4W lJW241t73Enw== From: Yan Zhao <yan.y.zhao@intel.com> To: alex.williamson@redhat.com, cohuck@redhat.com Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yan Zhao <yan.y.zhao@intel.com>, Kees Cook <keescook@chromium.org> Subject: [PATCH] vfio: checking of validity of user vaddr in vfio_dma_rw Date: Wed, 8 Apr 2020 03:11:21 -0400 Message-Id: <20200408071121.25645-1-yan.y.zhao@intel.com> Sender: kvm-owner@vger.kernel.org Precedence: bulk
Series	vfio: checking of validity of user vaddr in vfio_dma_rw \| expand vfio: checking of validity of user vaddr in vfio_dma_rw

Message ID

20200408071121.25645-1-yan.y.zhao@intel.com (mailing list archive)

State

New, archived

Headers

IronPort-SDR: 
 9qIDK1VANMo4fNW2iwJjwnAkj1z7jP6FOBMh6kWDgDY4jjZcy8eTKgE6LkMWXLKODx8tXrlzYz
 r0FJbG0w8c6Q==
IronPort-SDR: 
 8DU0rS43X0+q9dh1hmnTkwwNvy5G+AJbotvfyHkVhAtAtrkAB6SWCe/akFWTK0FC7Hnr2U7p4W
 lJW241t73Enw==
From: Yan Zhao <yan.y.zhao@intel.com>
To: alex.williamson@redhat.com, cohuck@redhat.com
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Yan Zhao <yan.y.zhao@intel.com>,
        Kees Cook <keescook@chromium.org>
Subject: [PATCH] vfio: checking of validity of user vaddr in vfio_dma_rw
Date: Wed,  8 Apr 2020 03:11:21 -0400
Message-Id: <20200408071121.25645-1-yan.y.zhao@intel.com>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk

Series

vfio: checking of validity of user vaddr in vfio_dma_rw | expand

Commit Message

Yan Zhao April 8, 2020, 7:11 a.m. UTC

instead of calling __copy_to/from_user(), use copy_to_from_user() to
ensure vaddr range is a valid user address range before accessing them.

Cc: Kees Cook <keescook@chromium.org>

Fixes: 8d46c0cca5f4 ("vfio: introduce vfio_dma_rw to read/write a range of IOVAs")
Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
---
 drivers/vfio/vfio_iommu_type1.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Kees Cook April 8, 2020, 4:59 p.m. UTC | #1

On Wed, Apr 08, 2020 at 03:11:21AM -0400, Yan Zhao wrote:
> instead of calling __copy_to/from_user(), use copy_to_from_user() to
> ensure vaddr range is a valid user address range before accessing them.
> 
> Cc: Kees Cook <keescook@chromium.org>
> 
> Fixes: 8d46c0cca5f4 ("vfio: introduce vfio_dma_rw to read/write a range of IOVAs")
> Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>

Thanks!

Reported-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  drivers/vfio/vfio_iommu_type1.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index 3aefcc8e2933..fbc58284b333 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -2345,10 +2345,10 @@ static int vfio_iommu_type1_dma_rw_chunk(struct vfio_iommu *iommu,
>  	vaddr = dma->vaddr + offset;
>  
>  	if (write)
> -		*copied = __copy_to_user((void __user *)vaddr, data,
> +		*copied = copy_to_user((void __user *)vaddr, data,
>  					 count) ? 0 : count;
>  	else
> -		*copied = __copy_from_user(data, (void __user *)vaddr,
> +		*copied = copy_from_user(data, (void __user *)vaddr,
>  					   count) ? 0 : count;
>  	if (kthread)
>  		unuse_mm(mm);
> -- 
> 2.17.1
>

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 3aefcc8e2933..fbc58284b333 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -2345,10 +2345,10 @@  static int vfio_iommu_type1_dma_rw_chunk(struct vfio_iommu *iommu,
 	vaddr = dma->vaddr + offset;
 
 	if (write)
-		*copied = __copy_to_user((void __user *)vaddr, data,
+		*copied = copy_to_user((void __user *)vaddr, data,
 					 count) ? 0 : count;
 	else
-		*copied = __copy_from_user(data, (void __user *)vaddr,
+		*copied = copy_from_user(data, (void __user *)vaddr,
 					   count) ? 0 : count;
 	if (kthread)
 		unuse_mm(mm);

vfio: checking of validity of user vaddr in vfio_dma_rw

Commit Message

Comments

Patch