> -----Original Message----- > From: Dmitry Torokhov [mailto:dmitry.torokhov@xxxxxxxxx] > Sent: Monday, September 16, 2013 10:10 AM > To: KY Srinivasan > Cc: Dan Carpenter; olaf@xxxxxxxxx; gregkh@xxxxxxxxxxxxxxxxxxx; > jasowang@xxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; vojtech@xxxxxxx; linux- > input@xxxxxxxxxxxxxxx; apw@xxxxxxxxxxxxx; devel@xxxxxxxxxxxxxxxxxxxxxx > Subject: Re: [PATCH 1/1] Drivers: input: serio: New driver to support Hyper-V > synthetic keyboard > > On Mon, Sep 16, 2013 at 04:56:03PM +0000, KY Srinivasan wrote: > > > > > > > -----Original Message----- > > > From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx] > > > Sent: Monday, September 16, 2013 8:06 AM > > > To: KY Srinivasan > > > Cc: olaf@xxxxxxxxx; gregkh@xxxxxxxxxxxxxxxxxxx; jasowang@xxxxxxxxxx; > > > dmitry.torokhov@xxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; > vojtech@xxxxxxx; > > > linux-input@xxxxxxxxxxxxxxx; apw@xxxxxxxxxxxxx; > devel@xxxxxxxxxxxxxxxxxxxxxx > > > Subject: Re: [PATCH 1/1] Drivers: input: serio: New driver to support Hyper-V > > > synthetic keyboard > > > > > > On Mon, Sep 16, 2013 at 02:46:24PM +0000, KY Srinivasan wrote: > > > > > > + case VM_PKT_DATA_INBAND: > > > > > > + hv_kbd_on_receive(device, desc); > > > > > > > > > > This is the error handling I mentioned at the top. hv_kbd_on_receive() > > > > > doesn't take into consideration the amount of data we recieved, it > > > > > trusts the offset we recieved from the user. There is an out of bounds > > > > > read. > > > > > > > > What user are you referring to. The message is sent by the host - the user > > > keystroke > > > > is normalized into a fixed size packet by the host and sent to the guest. We > will > > > parse this > > > > packet, based on the host specified layout here. > > > > > > > > > > The user means the hypervisor, yes. > > > > > > I don't want the hypervisor accessing outside of the buffer. It is > > > robustness issue. Just check the offset against "bytes_recvd". It's > > > not complicated. > > > > At the outset, let me apologize for not understanding your concern. > > You say: " I don't want the hypervisor accessing outside of the buffer" > > Where did you see the hypervisor accessing anything outside the buffer? > > The buffer is allocated by this driver and a packet from vmbus is read into this > > buffer - this is the call to vmbus_recvpacket(). If the specified buffer is smaller > > than the packet that needs to be read, then nothing will be read. Once the read > > completes, we can be sure we have read a valid packet and can proceed to > parse it in > > this driver. > > The concern is that number of bytes received and contents of a packet > are not in sync. Imagine if we were told that 16 butes was received but > in the packet offset is 78. Then we'll try reading well past the buffer > boundary that we allocated for the packets. I am not sure how this would be the case. Following are the semantics of the function vmbus_recvpacket_raw(): If the packet to be read is larger than the buffer specified; nothing will be read and appropriate error is returned. If a packet is read, the complete packet is read and so we can safely peek into this packet based on the information in the header. Regards, K. Y _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
