Re: [PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in... | linux-hyperv

[PATCH 0/6] Drivers: hv: vmbus: More VMBus-hardening changes · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
[PATCH 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
RE: [PATCH 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host · Michael Kelley <hidden> · 2020-12-06
Re: [PATCH 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host · Andrea Parri <parri.andrea@gmail.com> · 2020-12-06
[PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
RE: [PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc() · Michael Kelley <hidden> · 2020-12-06
Re: [PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc() · Andrea Parri <parri.andrea@gmail.com> · 2020-12-06
[PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · Wei Liu <wei.liu@kernel.org> · 2020-11-24
Re: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · Andrea Parri <parri.andrea@gmail.com> · 2020-11-24
RE: [PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() · Michael Kelley <hidden> · 2020-12-06
[PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
RE: [PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc() · Michael Kelley <hidden> · 2020-12-06
Re: [PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc() · Andrea Parri <parri.andrea@gmail.com> · 2020-12-06
[PATCH 5/6] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind() · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18
[PATCH 6/6] Drivers: hv: vmbus: Do not allow overwriting vmbus_connection.channels[] · "Andrea Parri (Microsoft)" <parri.andrea@gmail.com> · 2020-11-18

Re: [PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc()

From: Andrea Parri <parri.andrea@gmail.com>
Date: 2020-12-06 18:21:39
Also in: lkml

On Sun, Dec 06, 2020 at 05:14:18PM +0000, Michael Kelley wrote:

From: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Sent: Wednesday, November 18, 2020 6:37 AM

quoted

vmbus_on_msg_dpc() double fetches from payload_size.  The double fetch
can lead to a buffer overflow when (mem)copying the hv_message object.
Avoid the double fetch by saving the value of payload_size into a local
variable.

Similar comment here about providing some brief context in the commit
message on the problem that we are guarding against by removing the
double fetch.

Will expand.

I could see combining this patch with the previous one since the
motivation and pattern of the changes are exactly the same, just for
two different fields.

Will consider this suggestion for v3.  Please see v2 for a related
discussion.

  Andrea

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help