[0/3] Use new wrappers to copy userspace arrays

Message ID	20231102181526.43279-1-pstanner@redhat.com (mailing list archive)
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C7F32110F for <kvm@vger.kernel.org>; Thu, 2 Nov 2023 18:16:05 +0000 (UTC) From: Philipp Stanner <pstanner@redhat.com> To: Christian Borntraeger <borntraeger@linux.ibm.com>, Janosch Frank <frankja@linux.ibm.com>, Claudio Imbrenda <imbrenda@linux.ibm.com>, David Hildenbrand <david@redhat.com>, Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Alexander Gordeev <agordeev@linux.ibm.com>, Sven Schnelle <svens@linux.ibm.com>, Sean Christopherson <seanjc@google.com>, Paolo Bonzini <pbonzini@redhat.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@linux.intel.com>, "H. Peter Anvin" <hpa@zytor.com> Cc: kvm@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, Philipp Stanner <pstanner@redhat.com> Subject: [PATCH 0/3] Use new wrappers to copy userspace arrays Date: Thu, 2 Nov 2023 19:15:23 +0100 Message-ID: <20231102181526.43279-1-pstanner@redhat.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Use new wrappers to copy userspace arrays \| expand [0/3] Use new wrappers to copy userspace arrays [1/3] arch/x86/kvm: copy user-array with overflow-check [2/3] arch/s390/kvm: copy userspace-array safely [3/3] virt/kvm: copy userspace-array safely

Message ID

20231102181526.43279-1-pstanner@redhat.com (mailing list archive)

Headers

From: Philipp Stanner <pstanner@redhat.com>
To: Christian Borntraeger <borntraeger@linux.ibm.com>,
	Janosch Frank <frankja@linux.ibm.com>,
	Claudio Imbrenda <imbrenda@linux.ibm.com>,
	David Hildenbrand <david@redhat.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	Sean Christopherson <seanjc@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	"H. Peter Anvin" <hpa@zytor.com>
Cc: kvm@vger.kernel.org,
	linux-s390@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	x86@kernel.org,
	Philipp Stanner <pstanner@redhat.com>
Subject: [PATCH 0/3] Use new wrappers to copy userspace arrays
Date: Thu,  2 Nov 2023 19:15:23 +0100
Message-ID: <20231102181526.43279-1-pstanner@redhat.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Use new wrappers to copy userspace arrays | expand

Message

Philipp Stanner Nov. 2, 2023, 6:15 p.m. UTC

Hi,

Linus recently merged [1] the wrapper functions memdup_array_user() and
vmemdup_array_user() in include/linux/string.h for Kernel v6.7

I am currently adding them to all places where (v)memdup_user() had been
used to copy arrays.

The wrapper is different to the wrapped functions only in that it might
return -EOVERFLOW. So this new error code might get pushed up to
userspace. I hope this is fine.

I felt that it might be a good idea to land those three patches here
with a single series, since they all touch something KVM-related.

Kind regards,
P.

[1] https://lore.kernel.org/all/169886743808.2396.17544791408117731525.pr-tracker-bot@kernel.org/

Philipp Stanner (3):
  arch/x86/kvm: copy user-array with overflow-check
  arch/s390/kvm: copy userspace-array safely
  virt/kvm: copy userspace-array safely

 arch/s390/kvm/guestdbg.c | 4 ++--
 arch/x86/kvm/cpuid.c     | 4 ++--
 virt/kvm/kvm_main.c      | 5 ++---
 3 files changed, 6 insertions(+), 7 deletions(-)

Comments

Sean Christopherson Dec. 1, 2023, 1:52 a.m. UTC | #1

On Thu, 02 Nov 2023 19:15:23 +0100, Philipp Stanner wrote:
> Linus recently merged [1] the wrapper functions memdup_array_user() and
> vmemdup_array_user() in include/linux/string.h for Kernel v6.7
> 
> I am currently adding them to all places where (v)memdup_user() had been
> used to copy arrays.
> 
> The wrapper is different to the wrapped functions only in that it might
> return -EOVERFLOW. So this new error code might get pushed up to
> userspace. I hope this is fine.
> 
> [...]

Applied to kvm-x86 generic.  Claudio (or anyone else from s390), holler if
you want to take the s390 patch through the s390 tree.

I massaged the shortlogs to use KVM's standard scopes, and to make it clear
that these are hardening patches, i.e. that there is no unsafe/buggy behavior
that is being fixed.  I also added a note at the end of each changelog to call
out that KVM pre-checks the sizes before copying, again to make it clear that
using the safer helper isn't expected to actually change KVM's behavior.

[1/3] KVM: x86: Harden copying of userspace-array against overflow
      https://github.com/kvm-x86/linux/commit/573cc0e5cf14
[2/3] KVM: s390: Harden copying of userspace-array against overflow
      https://github.com/kvm-x86/linux/commit/8b81a8d7c6b7
[3/3] KVM: Harden copying of userspace-array against overflow
      https://github.com/kvm-x86/linux/commit/bc2cad56094c

--
https://github.com/kvm-x86/linux/tree/next

Christian Borntraeger Dec. 1, 2023, 11:24 a.m. UTC | #2

Am 01.12.23 um 02:52 schrieb Sean Christopherson:
> On Thu, 02 Nov 2023 19:15:23 +0100, Philipp Stanner wrote:
>> Linus recently merged [1] the wrapper functions memdup_array_user() and
>> vmemdup_array_user() in include/linux/string.h for Kernel v6.7
>>
>> I am currently adding them to all places where (v)memdup_user() had been
>> used to copy arrays.
>>
>> The wrapper is different to the wrapped functions only in that it might
>> return -EOVERFLOW. So this new error code might get pushed up to
>> userspace. I hope this is fine.
>>
>> [...]
> 
> Applied to kvm-x86 generic.  Claudio (or anyone else from s390), holler if
> you want to take the s390 patch through the s390 tree.

I think this is fine via your tree.

Feel free to add
Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
to patch 2 if the commit id is not yet final.

Sean Christopherson Dec. 1, 2023, 4:02 p.m. UTC | #3

On Fri, Dec 01, 2023, Christian Borntraeger wrote:
> 
> 
> Am 01.12.23 um 02:52 schrieb Sean Christopherson:
> > On Thu, 02 Nov 2023 19:15:23 +0100, Philipp Stanner wrote:
> > > Linus recently merged [1] the wrapper functions memdup_array_user() and
> > > vmemdup_array_user() in include/linux/string.h for Kernel v6.7
> > > 
> > > I am currently adding them to all places where (v)memdup_user() had been
> > > used to copy arrays.
> > > 
> > > The wrapper is different to the wrapped functions only in that it might
> > > return -EOVERFLOW. So this new error code might get pushed up to
> > > userspace. I hope this is fine.
> > > 
> > > [...]
> > 
> > Applied to kvm-x86 generic.  Claudio (or anyone else from s390), holler if
> > you want to take the s390 patch through the s390 tree.
> 
> I think this is fine via your tree.
> 
> Feel free to add
> Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
> to patch 2 if the commit id is not yet final.

Done, thanks much!  New hashes if anyone cares:

[1/3] KVM: x86: Harden copying of userspace-array against overflow
      https://github.com/kvm-x86/linux/commit/573cc0e5cf14
[2/3] KVM: s390: Harden copying of userspace-array against overflow
      https://github.com/kvm-x86/linux/commit/8c4976772d9b
[3/3] KVM: Harden copying of userspace-array against overflow
      https://github.com/kvm-x86/linux/commit/1f829359c8c3