diff mbox series

[v2] net: vmw_vsock: vmci: Check memcpy_from_msg()

Message ID 20221203083312.923029-1-artem.chernyshev@red-soft.ru (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series [v2] net: vmw_vsock: vmci: Check memcpy_from_msg() | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers fail 1 blamed authors not CCed: viro@zeniv.linux.org.uk; 4 maintainers not CCed: edumazet@google.com davem@davemloft.net pabeni@redhat.com viro@zeniv.linux.org.uk
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Artem Chernyshev Dec. 3, 2022, 8:33 a.m. UTC 
vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). Return with an error if the memcpy fails.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
V1->V2 Fix memory leaking and updates for description

 net/vmw_vsock/vmci_transport.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Stefano Garzarella Dec. 5, 2022, 9:47 a.m. UTC | #1 
On Sat, Dec 03, 2022 at 11:33:12AM +0300, Artem Chernyshev wrote:
>vmci_transport_dgram_enqueue() does not check the return value
>of memcpy_from_msg(). Return with an error if the memcpy fails.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
>Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
>Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
>---
>V1->V2 Fix memory leaking and updates for description
>
> net/vmw_vsock/vmci_transport.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
>diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
>index 842c94286d31..c94c3deaa09d 100644
>--- a/net/vmw_vsock/vmci_transport.c
>+++ b/net/vmw_vsock/vmci_transport.c
>@@ -1711,7 +1711,10 @@ static int vmci_transport_dgram_enqueue(
> 	if (!dg)
> 		return -ENOMEM;
>
>-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
>+	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len)) {
>+		kfree(dg);
>+		return -EFAULT;

Since memcpy_from_msg() is a wrapper of copy_from_iter_full() that 
simply returns -EFAULT in case of an error, perhaps it would be better 
here to return the value of memcpy_from_msg() instead of wiring the 
error.

However in the end the behavior is the same, so even if you don't want 
to change it I'll leave my R-b:

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>

Thanks,
Stefano
Artem Chernyshev Dec. 5, 2022, 11:22 a.m. UTC | #2 
Hi,
On Mon, Dec 05, 2022 at 10:47:36AM +0100, Stefano Garzarella wrote:
> On Sat, Dec 03, 2022 at 11:33:12AM +0300, Artem Chernyshev wrote:
> > vmci_transport_dgram_enqueue() does not check the return value
> > of memcpy_from_msg(). Return with an error if the memcpy fails.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> > Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
> > ---
> > V1->V2 Fix memory leaking and updates for description
> > 
> > net/vmw_vsock/vmci_transport.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> > index 842c94286d31..c94c3deaa09d 100644
> > --- a/net/vmw_vsock/vmci_transport.c
> > +++ b/net/vmw_vsock/vmci_transport.c
> > @@ -1711,7 +1711,10 @@ static int vmci_transport_dgram_enqueue(
> > 	if (!dg)
> > 		return -ENOMEM;
> > 
> > -	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> > +	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len)) {
> > +		kfree(dg);
> > +		return -EFAULT;
> 
> Since memcpy_from_msg() is a wrapper of copy_from_iter_full() that simply
> returns -EFAULT in case of an error, perhaps it would be better here to
> return the value of memcpy_from_msg() instead of wiring the error.
> 
> However in the end the behavior is the same, so even if you don't want to
> change it I'll leave my R-b:
> 
> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
> 
> Thanks,
> Stefano

Thank you for review. Sure, I will change that in V3

Artem
diff mbox series

Patch

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 842c94286d31..c94c3deaa09d 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1711,7 +1711,10 @@  static int vmci_transport_dgram_enqueue(
 	if (!dg)
 		return -ENOMEM;
 
-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	if (memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len)) {
+		kfree(dg);
+		return -EFAULT;
+	}
 
 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
 				   remote_addr->svm_port);