[v3] net: vmw_vsock: vmci: Check memcpy_from_msg()

Message ID	20221205115200.2987942-1-artem.chernyshev@red-soft.ru (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Artem Chernyshev <artem.chernyshev@red-soft.ru> To: Stefano Garzarella <sgarzare@redhat.com>, Vishnu Dasa <vdasa@vmware.com> Cc: Artem Chernyshev <artem.chernyshev@red-soft.ru>, VMware PV-Drivers Reviewers <pv-drivers@vmware.com>, Bryan Tan <bryantan@vmware.com>, Jakub Kicinski <kuba@kernel.org>, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH v3] net: vmw_vsock: vmci: Check memcpy_from_msg() Date: Mon, 5 Dec 2022 14:52:00 +0300 Message-Id: <20221205115200.2987942-1-artem.chernyshev@red-soft.ru> In-Reply-To: <20221205094736.k3yuwk7emijpitvw@sgarzare-redhat> References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit bases: 2022/12/05 07:18:00 bases: 2022/12/05 09:01:00 #20651080 Precedence: bulk
Series	[v3] net: vmw_vsock: vmci: Check memcpy_from_msg() \| expand [v3] net: vmw_vsock: vmci: Check memcpy_from_msg()

Message ID

20221205115200.2987942-1-artem.chernyshev@red-soft.ru (mailing list archive)

State

Superseded

Delegated to:

Netdev Maintainers

Headers

From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
To: Stefano Garzarella <sgarzare@redhat.com>,
        Vishnu Dasa <vdasa@vmware.com>
Cc: Artem Chernyshev <artem.chernyshev@red-soft.ru>,
        VMware PV-Drivers Reviewers <pv-drivers@vmware.com>,
        Bryan Tan <bryantan@vmware.com>,
        Jakub Kicinski <kuba@kernel.org>, linux-kernel@vger.kernel.org,
        virtualization@lists.linux-foundation.org, netdev@vger.kernel.org,
        lvc-project@linuxtesting.org
Subject: [PATCH v3] net: vmw_vsock: vmci: Check memcpy_from_msg()
Date: Mon,  5 Dec 2022 14:52:00 +0300
Message-Id: <20221205115200.2987942-1-artem.chernyshev@red-soft.ru>
In-Reply-To: <20221205094736.k3yuwk7emijpitvw@sgarzare-redhat>
References: 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[v3] net: vmw_vsock: vmci: Check memcpy_from_msg() | expand

Context	Check	Description
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/subject_prefix	warning	Target tree name not specified in the subject
netdev/cover_letter	success	Single patches do not need cover letters
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers	fail	1 blamed authors not CCed: viro@zeniv.linux.org.uk; 4 maintainers not CCed: edumazet@google.com davem@davemloft.net pabeni@redhat.com viro@zeniv.linux.org.uk
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/subject_prefix

warning

Target tree name not specified in the subject

netdev/cover_letter

success

Single patches do not need cover letters

netdev/patch_count

success

Link

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/cc_maintainers

fail

1 blamed authors not CCed: viro@zeniv.linux.org.uk; 4 maintainers not CCed: edumazet@google.com davem@davemloft.net pabeni@redhat.com viro@zeniv.linux.org.uk

netdev/build_clang

success

Errors and warnings before: 0 this patch: 0

netdev/module_param

success

Was 0 now: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 12 lines checked

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Artem Chernyshev Dec. 5, 2022, 11:52 a.m. UTC

vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). Return with an error if the memcpy fails.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
V1->V2 Fix memory leaking and updates for description
V2->V3 Return the value of memcpy_from_msg()

 net/vmw_vsock/vmci_transport.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Stefano Garzarella Dec. 5, 2022, 1:06 p.m. UTC | #1

On Mon, Dec 05, 2022 at 02:52:00PM +0300, Artem Chernyshev wrote:
>vmci_transport_dgram_enqueue() does not check the return value
>of memcpy_from_msg(). Return with an error if the memcpy fails.
>
>Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
>Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
>Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
>---
>V1->V2 Fix memory leaking and updates for description
>V2->V3 Return the value of memcpy_from_msg()
>
> net/vmw_vsock/vmci_transport.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)

Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>

Vishnu Dasa Dec. 5, 2022, 11:03 p.m. UTC | #2

> On Dec 5, 2022, at 3:52 AM, Artem Chernyshev <artem.chernyshev@red-soft.ru> wrote:
> 
> vmci_transport_dgram_enqueue() does not check the return value
> of memcpy_from_msg(). Return with an error if the memcpy fails.

I think we can add some more information in the description.  Sorry, I
should've said this earlier.

vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg().  If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination.  Return with an error if
memcpy_from_msg() fails.

> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>

Thanks, Artem!  This version looks good to me modulo my suggestion
about the description above.

Reviewed-by: Vishnu Dasa <vdasa@vmware.com>

Regards,
Vishnu

> ---
> V1->V2 Fix memory leaking and updates for description
> V2->V3 Return the value of memcpy_from_msg()
> 
> net/vmw_vsock/vmci_transport.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> index 842c94286d31..36eb16a40745 100644
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
> @@ -1711,7 +1711,11 @@ static int vmci_transport_dgram_enqueue(
> 	if (!dg)
> 		return -ENOMEM;
> 
> -	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> +	err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> +	if (err) {
> +		kfree(dg);
> +		return err;
> +	}
> 
> 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
> 				   remote_addr->svm_port);
> -- 
> 2.30.3
>

Artem Chernyshev Dec. 6, 2022, 6:52 a.m. UTC | #3

Hi,
On Mon, Dec 05, 2022 at 11:03:47PM +0000, Vishnu Dasa wrote:
> 
> > On Dec 5, 2022, at 3:52 AM, Artem Chernyshev <artem.chernyshev@red-soft.ru> wrote:
> > 
> > vmci_transport_dgram_enqueue() does not check the return value
> > of memcpy_from_msg(). Return with an error if the memcpy fails.
> 
> I think we can add some more information in the description.  Sorry, I
> should've said this earlier.
> 
> vmci_transport_dgram_enqueue() does not check the return value
> of memcpy_from_msg().  If memcpy_from_msg() fails, it is possible that
> uninitialized memory contents are sent unintentionally instead of user's
> message in the datagram to the destination.  Return with an error if
> memcpy_from_msg() fails.
> 
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> > Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
> 
> Thanks, Artem!  This version looks good to me modulo my suggestion
> about the description above.
> 
> Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
> 
> Regards,
> Vishnu
> 
No problem, I'll change description in v4

Thanks,
Artem

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 842c94286d31..36eb16a40745 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1711,7 +1711,11 @@  static int vmci_transport_dgram_enqueue(
 	if (!dg)
 		return -ENOMEM;
 
-	memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+	if (err) {
+		kfree(dg);
+		return err;
+	}
 
 	dg->dst = vmci_make_handle(remote_addr->svm_cid,
 				   remote_addr->svm_port);

[v3] net: vmw_vsock: vmci: Check memcpy_from_msg()

Checks

Commit Message

Comments

Patch