Re: [PATCH] vfio: checking of validity of user vaddr in vfio_dma_rw

Kees Cook <keescook@xxxxxxxxxxxx> · Wed, 8 Apr 2020 09:59:44 -0700

On Wed, Apr 08, 2020 at 03:11:21AM -0400, Yan Zhao wrote:
> instead of calling __copy_to/from_user(), use copy_to_from_user() to
> ensure vaddr range is a valid user address range before accessing them.
> 
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> 
> Fixes: 8d46c0cca5f4 ("vfio: introduce vfio_dma_rw to read/write a range of IOVAs")
> Signed-off-by: Yan Zhao <yan.y.zhao@xxxxxxxxx>

Thanks!

Reported-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

-Kees

> ---
>  drivers/vfio/vfio_iommu_type1.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index 3aefcc8e2933..fbc58284b333 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -2345,10 +2345,10 @@ static int vfio_iommu_type1_dma_rw_chunk(struct vfio_iommu *iommu,
>  	vaddr = dma->vaddr + offset;
>  
>  	if (write)
> -		*copied = __copy_to_user((void __user *)vaddr, data,
> +		*copied = copy_to_user((void __user *)vaddr, data,
>  					 count) ? 0 : count;
>  	else
> -		*copied = __copy_from_user(data, (void __user *)vaddr,
> +		*copied = copy_from_user(data, (void __user *)vaddr,
>  					   count) ? 0 : count;
>  	if (kthread)
>  		unuse_mm(mm);
> -- 
> 2.17.1
> 

-- 
Kees Cook