Question about a problem caused by copy_from_sockptr() in get_ext_report()

From: Zichen Xie
Date: Fri Nov 22 2024 - 17:09:09 EST

Next message: Samiullah Khawaja: "Re: [PATCH net-next v2 4/5] page_pool: disable sync for cpu for dmabuf memory provider"
Previous message: Reinette Chatre: "Re: [PATCH v9 18/26] x86/resctrl: Add the interface to assign/update counter assignment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear developers,

I'm curious about whether the function `get_ext_report` might have a
security issue.

The function is
https://elixir.bootlin.com/linux/v6.12/source/drivers/virt/coco/sev-guest/sev-guest.c#L577,
and the relevant code is:
```
if (copy_from_sockptr(report_req, io->req_data, sizeof(*report_req)))
return -EFAULT;
```

Here copy_from_sockptr() is called without checking the length of
io->req_data. If the remaining length of io->req_data is less than
sizeof(*report_req), the copy should be illegal.
So, I think a prehand check could be useful.

Please kindly correct me if I missed any key information. Looking
forward to your response!

Best,
Zichen

Next message: Samiullah Khawaja: "Re: [PATCH net-next v2 4/5] page_pool: disable sync for cpu for dmabuf memory provider"
Previous message: Reinette Chatre: "Re: [PATCH v9 18/26] x86/resctrl: Add the interface to assign/update counter assignment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]