On Fri, May 29, 2020 at 4:27 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> a/arch/x86/kvm/hyperv.c
> - if (__clear_user((void __user *)addr, sizeof(u32)))
> + if (__put_user(0, (u32 __user *)addr))
I'm not doubting that this is a correct transformation and an
improvement, but why is it using that double-underscore version in the
first place?
There's a __copy_to_user() in kvm_hv_set_msr_pw() in addition to this
one in kvm_hv_set_msr(). Both go back to 2011 and commit 8b0cedff040b
("KVM: use __copy_to_user/__clear_user to write guest page") and both
look purely like "pointlessly avoid the access_ok".
All these KVM "optimizations" seem entirely pointless, since
access_ok() isn't the problem. And the address _claims_ to be
verified, but I'm not seeing it. There is not a single 'access_ok()'
anywhere in arch/x86/kvm/ that I can see.
It looks like the argument for the address being validated is that it
comes from "gfn_to_hva()", which should only return
host-virtual-addresses. That may be true.
But "should" is not "does", and honestly, the cost of gfn_to_hva() is
high enough that then using that as an argument for removing
"access_ok()" smells.
So I would suggest just removing all these completely bogus
double-underscore versions. It's pointless, it's wrong, and it's
unsafe.
This isn't even some critical path, but even if it was, that user
address check isn't where the problems are.
Linus
