archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-09 05:26:38 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/misc
History
Harshit Mogalapalli 19b070fefd VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() 
Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.

memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)

WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237

Some code commentry, based on my understanding:

544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size

memcpy(&dg_info->msg, dg, dg_size);
	Destination = dg_info->msg ---> this is a 24 byte
					structure(struct vmci_datagram)
	Source = dg --> this is a 24 byte structure (struct vmci_datagram)
	Size = dg_size = 24 + payload_size

{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.

 35 struct delayed_datagram_info {
 36         struct datagram_entry *entry;
 37         struct work_struct work;
 38         bool in_dg_host_queue;
 39         /* msg and msg_payload must be together. */
 40         struct vmci_datagram msg;
 41         u8 msg_payload[];
 42 };

So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.

One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.

Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."

Reported-by: syzkaller <syzkaller@googlegroups.com>
Suggested-by: Vegard Nossum <vegard.nossum@oracle.com>
Suggested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com
Signed-off-by: Kees Cook <keescook@chromium.org>
2024-02-01 10:06:42 -08:00
..
altera-stapl misc: add HAS_IOPORT dependencies 2023-05-29 15:05:00 +01:00
bcm-vk tty: bcm: convert to u8 and size_t 2023-12-08 12:02:37 +01:00
c2port c2port: replace deprecated strncpy with strscpy 2023-10-05 13:34:05 +02:00
cardreader misc: rtsx: add to support new card reader rts5264 2023-12-15 17:27:04 +01:00
cb710 cb710: avoid NULL pointer subtraction 2021-10-05 15:50:05 +02:00
cxl powerpc: Add PVN support for HeXin C2000 processor 2023-12-01 21:15:33 +11:00
echo
eeprom This cycle, I2C removes the currently unused CLASS_DDC support 2024-01-18 17:29:01 -08:00
genwqe mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-01-08 15:27:15 -08:00
ibmasm ibmasm: convert to new timestamp accessors 2023-10-18 13:26:16 +02:00
lis3lv02d misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback 2024-01-04 17:01:14 +01:00
lkdtm lkdtm/bugs: In lkdtm_HUNG_TASK() use BUG(), not BUG_ON(1) 2024-02-01 09:44:07 -08:00
mchp_pci1xxxx misc: microchip: pci1xxxx: Fix some NULL vs IS_ERR() bugs 2023-08-12 12:58:56 +02:00
mei mei: rework Kconfig dependencies 2023-12-15 17:02:15 +01:00
ocxl powerpc updates for 6.8 2024-01-08 16:22:47 -08:00
pvpanic pvpanic: Kill duplicate PCI_VENDOR_ID_REDHAT definition 2024-01-04 17:01:14 +01:00
sgi-gru arch: Remove Itanium (IA-64) architecture 2023-09-11 08:13:17 +00:00
sgi-xp sysctl-6.7-rc1 2023-11-01 20:51:41 -10:00
ti-st drivers: misc: ti-st: replace deprecated strncpy with strscpy 2023-10-05 13:34:04 +02:00
uacce uacce: make uacce_class constant 2023-10-27 08:51:00 +02:00
vmw_vmci VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() 2024-02-01 10:06:42 -08:00
ad525x_dpot-i2c.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
ad525x_dpot-spi.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
ad525x_dpot.c misc: ad525x_dpot: Make ad_dpot_remove() return void 2021-10-13 14:35:37 +02:00
ad525x_dpot.h misc: ad525x_dpot: Make ad_dpot_remove() return void 2021-10-13 14:35:37 +02:00
apds990x.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
apds9802als.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
atmel-ssc.c misc: atmel-ssc: Use devm_platform_get_and_ioremap_resource() 2023-08-04 15:38:45 +02:00
bh1770glc.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
cs5535-mfgpt.c
ds1682.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
dummy-irq.c
dw-xdata-pcie.c dw-xdata: Remove usage of the deprecated ida_simple_*() API 2023-12-31 11:09:26 +00:00
enclosure.c drivers: remove struct module * setting from struct class 2023-03-17 15:16:27 +01:00
fastrpc.c misc: fastrpc: Unmap only if buffer is unmapped from DSP 2023-10-16 20:58:50 +02:00
gehc-achc.c misc: gehc: Add SPI ID table 2021-10-05 15:47:18 +02:00
hi6421v600-irq.c misc: hi6421-spmi-pmic: Remove redundant dev_err() 2023-08-04 15:39:10 +02:00
hisi_hikey_usb.c misc: hisi_hikey_usb: change the DT schema 2021-09-14 10:57:31 +02:00
hmc6352.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
hpilo.c misc: hpilo: make ilo_class a static const structure 2023-08-11 21:41:36 +02:00
hpilo.h
ibmvmc.c Char/Misc and other driver changes for 6.7-rc1 2023-11-03 14:51:08 -10:00
ibmvmc.h
ics932s401.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
isl29003.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
isl29020.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
Kconfig misc: nsm: remove selecting the non-existing config CBOR 2023-12-15 17:07:41 +01:00
kgdbts.c kgdbts: fix return value of __setup handler 2022-03-18 14:17:56 +01:00
lattice-ecp3-config.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
Makefile misc: Add Nitro Secure Module driver 2023-11-28 19:05:16 +00:00
nsm.c misc: Add Nitro Secure Module driver 2023-11-28 19:05:16 +00:00
open-dice.c mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
pch_phub.c
pci_endpoint_test.c Merge branch 'pci/misc' 2024-01-15 12:10:41 -06:00
phantom.c misc: phantom: make phantom_class constant 2023-10-25 11:07:11 +02:00
qcom-coincell.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00
smpro-errmon.c misc: smpro-errmon: Remove the unneeded include <linux/i2c.h> 2023-05-31 19:00:10 +01:00
smpro-misc.c misc: smpro-misc: Add Ampere's Altra SMpro misc driver 2022-11-10 19:03:03 +01:00
sram-exec.c mm: Introduce set_memory_rox() 2022-12-15 10:37:26 -08:00
sram.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00
sram.h misc: sram: Improve and simplify clk handling 2023-03-09 17:31:53 +01:00
tifm_7xx1.c misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() 2022-11-23 19:55:26 +01:00
tifm_core.c driver core: make struct bus_type.uevent() take a const * 2023-01-27 13:45:52 +01:00
tps6594-esm.c Merge 6.5-rc6 into char-misc-next 2023-08-13 22:14:51 +02:00
tps6594-pfsm.c misc: tps6594: Remove redundant dev_err_probe() for platform_get_irq_byname() 2023-08-12 12:58:40 +02:00
tsl2550.c misc: Switch i2c drivers back to use .probe() 2023-05-29 15:04:52 +01:00
vcpu_stall_detector.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00
vmw_balloon.c vmw_balloon: dynamically allocate the vmw-balloon shrinker 2023-10-04 10:32:25 -07:00
xilinx_sdfec.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00
xilinx_tmr_inject.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00
xilinx_tmr_manager.c misc: Explicitly include correct DT includes 2023-08-04 15:39:04 +02:00