Re: [PATCH v2 1/3] tools: hv: fcopy_daemon: Check buffer limits

From: Greg KH
Date: Fri Nov 07 2014 - 13:19:11 EST


On Tue, Oct 21, 2014 at 04:46:58PM +0200, Matej MuÅila wrote:
> From: Matej MuÅila <mmuzila@xxxxxxxxxx>
>
> Check if cpmsg->size is in limits of DATA_FRAGMENT
>
> Signed-off-by: Matej MuÅila <mmuzila@xxxxxxxxxx>
> ---
>
> If corrupted data are read from /dev/vmbus/hv_fcopy, pwrite can
> read from memory outside of the buffer (defined at line 138).
> Added check.
>
> Changes made since v1:
> * max value of cmesg->size is now derived from structure
> definition in sources/include/uapi/linux/hyperv.h
> * Fixed comments
>
>
> diff --git a/tools/hv/hv_fcopy_daemon.c b/tools/hv/hv_fcopy_daemon.c
> index 6f27e2f..1fc2dc2 100644
> --- a/tools/hv/hv_fcopy_daemon.c
> +++ b/tools/hv/hv_fcopy_daemon.c
> @@ -104,6 +104,10 @@ static int hv_copy_data(struct hv_do_fcopy *cpmsg)
> {
> ssize_t bytes_written;
>
> + /* Check if the cpmsg->size is in limits of DATA_FRAGMENT */
> + if (cpmsg->size > sizeof(cpmsg->data))
> + return HV_E_FAIL;
> +
> bytes_written = pwrite(target_fd, cpmsg->data, cpmsg->size,
> cpmsg->offset);
>

ALWAYS run your patches through checkpatch before sending them, so you
don't get grumpy emails from maintainers telling you to do the same
thing...

Please fix this up and resend the whole series.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/