> On Dec 5, 2022, at 3:52 AM, Artem Chernyshev <artem.chernyshev@xxxxxxxxxxx> wrote:
>
> vmci_transport_dgram_enqueue() does not check the return value
> of memcpy_from_msg(). Return with an error if the memcpy fails.
I think we can add some more information in the description. Sorry, I
should've said this earlier.
vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination. Return with an error if
memcpy_from_msg() fails.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
> Signed-off-by: Artem Chernyshev <artem.chernyshev@xxxxxxxxxxx>
Thanks, Artem! This version looks good to me modulo my suggestion
about the description above.
Reviewed-by: Vishnu Dasa <vdasa@xxxxxxxxxx>
Regards,
Vishnu
> ---
> V1->V2 Fix memory leaking and updates for description
> V2->V3 Return the value of memcpy_from_msg()
>
> net/vmw_vsock/vmci_transport.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> index 842c94286d31..36eb16a40745 100644
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
> @@ -1711,7 +1711,11 @@ static int vmci_transport_dgram_enqueue(
> if (!dg)
> return -ENOMEM;
>
> - memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> + err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
> + if (err) {
> + kfree(dg);
> + return err;
> + }
>
> dg->dst = vmci_make_handle(remote_addr->svm_cid,
> remote_addr->svm_port);
> --
> 2.30.3
>
_______________________________________________
Virtualization mailing list
Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
