mirror of
https://github.com/torvalds/linux.git
synced 2024-11-22 20:22:09 +00:00
hv_sock: Add validation for untrusted Hyper-V values
For additional robustness in the face of Hyper-V errors or malicious behavior, validate all values that originate from packets that Hyper-V has sent to the guest in the host-to-guest ring buffer. Ensure that invalid values cannot cause data being copied out of the bounds of the source buffer in hvs_stream_dequeue(). Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Reviewed-by: Michael Kelley <mikelley@microsoft.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://lore.kernel.org/r/20220428145107.7878-4-parri.andrea@gmail.com Signed-off-by: Wei Liu <wei.liu@kernel.org>
This commit is contained in:
parent
066f3377fb
commit
dbde6d0c7a
@ -1696,6 +1696,11 @@ static inline u32 hv_pkt_datalen(const struct vmpacket_descriptor *desc)
|
||||
return (desc->len8 << 3) - (desc->offset8 << 3);
|
||||
}
|
||||
|
||||
/* Get packet length associated with descriptor */
|
||||
static inline u32 hv_pkt_len(const struct vmpacket_descriptor *desc)
|
||||
{
|
||||
return desc->len8 << 3;
|
||||
}
|
||||
|
||||
struct vmpacket_descriptor *
|
||||
hv_pkt_iter_first_raw(struct vmbus_channel *channel);
|
||||
|
@ -577,12 +577,18 @@ static bool hvs_dgram_allow(u32 cid, u32 port)
|
||||
static int hvs_update_recv_data(struct hvsock *hvs)
|
||||
{
|
||||
struct hvs_recv_buf *recv_buf;
|
||||
u32 payload_len;
|
||||
u32 pkt_len, payload_len;
|
||||
|
||||
pkt_len = hv_pkt_len(hvs->recv_desc);
|
||||
|
||||
if (pkt_len < HVS_HEADER_LEN)
|
||||
return -EIO;
|
||||
|
||||
recv_buf = (struct hvs_recv_buf *)(hvs->recv_desc + 1);
|
||||
payload_len = recv_buf->hdr.data_size;
|
||||
|
||||
if (payload_len > HVS_MTU_SIZE)
|
||||
if (payload_len > pkt_len - HVS_HEADER_LEN ||
|
||||
payload_len > HVS_MTU_SIZE)
|
||||
return -EIO;
|
||||
|
||||
if (payload_len == 0)
|
||||
|
Loading…
Reference in New Issue
Block a user