Re: [PATCH RFC v2] tpm: tpm_vtpm_proxy: do not reference kernel memory as user memory

From: Stefan Berger
Date: Tue May 30 2023 - 13:46:10 EST

Next message: Yonghong Song: "Re: [PATCH v2] kernel: bpf: syscall: fix a possible sleep-in-atomic bug in __bpf_prog_put()"
Previous message: Keith Busch: "Re: [PATCH v1 1/1] nvme: complete directly for hctx with only one ctx mapping"
In reply to: Stefan Berger: "Re: [PATCH RFC v2] tpm: tpm_vtpm_proxy: do not reference kernel memory as user memory"
Next in thread: David Laight: "RE: [PATCH RFC v2] tpm: tpm_vtpm_proxy: do not reference kernel memory as user memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/29/23 22:01, Jarkko Sakkinen wrote:

From: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxx>

- rc = copy_to_user(buf, proxy_dev->buffer, len);
+ if (buf)
+ rc = copy_to_user(buf, proxy_dev->buffer, len);
+

Looking through other drivers it seems buf is always expected to be a valid non-NULL pointer on file_operations.read().

https://elixir.bootlin.com/linux/latest/source/arch/x86/mm/tlb.c#L1279 simple_read_from_buffer will pass the pointer to the user buffer along and it ('to') ends up in copy_to_user(to, ...);

Same here: https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_fs.c#L41

Next message: Yonghong Song: "Re: [PATCH v2] kernel: bpf: syscall: fix a possible sleep-in-atomic bug in __bpf_prog_put()"
Previous message: Keith Busch: "Re: [PATCH v1 1/1] nvme: complete directly for hctx with only one ctx mapping"
In reply to: Stefan Berger: "Re: [PATCH RFC v2] tpm: tpm_vtpm_proxy: do not reference kernel memory as user memory"
Next in thread: David Laight: "RE: [PATCH RFC v2] tpm: tpm_vtpm_proxy: do not reference kernel memory as user memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]