On Wed, Dec 02, 2020 at 10:22:09AM +0100, Andrea Parri (Microsoft) wrote: > vmbus_on_msg_dpc() double fetches from msgtype. The double fetch can > lead to an out-of-bound access when accessing the channel_message_table > array. In turn, the use of the out-of-bound entry could lead to code > execution primitive (entry->message_handler()). Avoid the double fetch > by saving the value of msgtype into a local variable. > > Reported-by: Juan Vazquez <juvazq@xxxxxxxxxxxxx> > Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@xxxxxxxxx> > --- > drivers/hv/vmbus_drv.c | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) > > diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c > index 0a2711aa63a15..82b23baa446d7 100644 > --- a/drivers/hv/vmbus_drv.c > +++ b/drivers/hv/vmbus_drv.c > @@ -1057,6 +1057,7 @@ void vmbus_on_msg_dpc(unsigned long data) > struct hv_message *msg = (struct hv_message *)page_addr + > VMBUS_MESSAGE_SINT; > struct vmbus_channel_message_header *hdr; > + enum vmbus_channel_message_type msgtype; > const struct vmbus_channel_message_table_entry *entry; > struct onmessage_work_context *ctx; > u32 message_type = msg->header.message_type; > @@ -1072,12 +1073,19 @@ void vmbus_on_msg_dpc(unsigned long data) > /* no msg */ > return; > > + /* > + * The hv_message object is in memory shared with the host. The host > + * could erroneously or maliciously modify such object. Make sure to > + * validate its fields and avoid double fetches whenever feasible. > + */ > + > hdr = (struct vmbus_channel_message_header *)msg->u.payload; > + msgtype = hdr->msgtype; Should READ_ONCE be used here? Wei.
