search for: efault

...o = ENOTSUP; goto error; @@ -586,7 +588,8 @@ hivex_node_name (hive_h *h, hive_node_h node) size_t seg_len = block_len (h, node, NULL); if (sizeof (struct ntreg_nk_record) + len - 1 > seg_len) { if (h->msglvl >= 2) - fprintf (stderr, "hivex_node_name: returning EFAULT because node name is too long (%zu, %zu)\n", + fprintf (stderr, "hivex_node_name: returning EFAULT because node name" + " is too long (%zu, %zu)\n", len, seg_len); errno = EFAULT; return NULL; @@ -733,7 +736,8 @@ get_children (hive_h *h,...

...er at oracle.com> --- Only needed in linux-next. diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c index 215a3c0..fdff8f9 100644 --- a/drivers/xen/privcmd.c +++ b/drivers/xen/privcmd.c @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) return -EFAULT; /* Returns per-frame error in m.arr. */ m.err = NULL; + if (m.num > SIZE_MAX / sizeof(*m.arr)) + return -EINVAL; if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) return -EFAULT; break; @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, in...

...er at oracle.com> --- Only needed in linux-next. diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c index 215a3c0..fdff8f9 100644 --- a/drivers/xen/privcmd.c +++ b/drivers/xen/privcmd.c @@ -325,6 +325,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, int version) return -EFAULT; /* Returns per-frame error in m.arr. */ m.err = NULL; + if (m.num > SIZE_MAX / sizeof(*m.arr)) + return -EINVAL; if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr))) return -EFAULT; break; @@ -332,6 +334,8 @@ static long privcmd_ioctl_mmap_batch(void __user *udata, in...

copy_to_user() returns the amount of data remaining to be copied. We want to return a negative error code here. The upper layers just call WARN_ON() if we return non-zero so this doesn't change the behavior. But returning -EFAULT is still cleaner. Signed-off-by: Dan Carpenter <error27 at gmail.com> diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index 017ce60..b0f9e8f 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -273,7 +273,7 @@ static int __unmap_grant_pages(struct grant_map *map, int of...

copy_to_user() returns the amount of data remaining to be copied. We want to return a negative error code here. The upper layers just call WARN_ON() if we return non-zero so this doesn't change the behavior. But returning -EFAULT is still cleaner. Signed-off-by: Dan Carpenter <error27 at gmail.com> diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index 017ce60..b0f9e8f 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -273,7 +273,7 @@ static int __unmap_grant_pages(struct grant_map *map, int of...

copy_to_user() returns the amount of data remaining to be copied. We want to return a negative error code here. The upper layers just call WARN_ON() if we return non-zero so this doesn't change the behavior. But returning -EFAULT is still cleaner. Signed-off-by: Dan Carpenter <error27 at gmail.com> diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index 017ce60..b0f9e8f 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -273,7 +273,7 @@ static int __unmap_grant_pages(struct grant_map *map, int of...

...addr = disp2; + if (base2) + useraddr += vcpu->arch.guest_gprs[base2]; + + reg = reg1; + + VCPU_EVENT(vcpu, 5, "lctg r1:%x, r3:%x,b2:%x,d2:%x", reg1, reg3, base2, + disp2); + + do { + rc = get_guest_u64(vcpu, useraddr, + &vcpu->arch.sie_block->gcr[reg]); + if (rc == -EFAULT) { + kvm_s390_inject_program_int(vcpu, PGM_ADDRESSING); + break; + } + useraddr += 8; + if (reg == reg3) + break; + reg = reg + 1; + if (reg > 15) + reg = 0; + } while (1); + return 0; +} + +static int handle_lctl(struct kvm_vcpu *vcpu) +{ + int reg1 = (vcpu->arch.sie_block->i...

...y''s patches to add make check and make fullcheck allow you to run portions of the hypervisor under valgrind. While doing this, I noticed that there are a lot of places in dom0_ops.c that we''re either not checking the return value of copy_to_user or returning EINVAL instead of EFAULT. The attach patch makes sure wherever we call copy_to_user we check for error and return EFAULT. Regards, Anthony Liguor _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel

...+ } > break; > case VHOST_GET_VRING_BASE: > s.index = idx; > s.num = vq->last_avail_idx; > + if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) > + s.num |= vq->last_avail_wrap_counter << 31; > + if (copy_to_user(argp, &s, sizeof(s))) > + r = -EFAULT; > + break; > + case VHOST_SET_VRING_USED_BASE: > + /* Moving base with an active backend? > + * You don't want to do that. > + */ > + if (vq->private_data) { > + r = -EBUSY; > + break; > + } > + if (copy_from_user(&s, argp, sizeof(s))) { > +...

...+ } > break; > case VHOST_GET_VRING_BASE: > s.index = idx; > s.num = vq->last_avail_idx; > + if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) > + s.num |= vq->last_avail_wrap_counter << 31; > + if (copy_to_user(argp, &s, sizeof(s))) > + r = -EFAULT; > + break; > + case VHOST_SET_VRING_USED_BASE: > + /* Moving base with an active backend? > + * You don't want to do that. > + */ > + if (vq->private_data) { > + r = -EBUSY; > + break; > + } > + if (copy_from_user(&s, argp, sizeof(s))) { > +...

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

...-static int br_dev_do_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) -{ - unsigned long args[4]; - unsigned long *data; - - if (cmd != SIOCDEVPRIVATE) - return -EOPNOTSUPP; - - data = (unsigned long *)rq->ifr_data; - if (copy_from_user(args, data, 4*sizeof(unsigned long))) - return -EFAULT; - - return br_ioctl_device(dev->priv, args[0], args[1], args[2], args[3]); -} - static struct net_device_stats *br_dev_get_stats(struct net_device *dev) { struct net_bridge *br; @@ -115,7 +100,7 @@ ether_setup(dev); - dev->do_ioctl = br_dev_do_ioctl; + dev->do_ioctl = br_dev_ioc...

...m.c > +++ b/mm/hmm.c > @@ -532,7 +532,7 @@ static int hmm_vma_handle_pte(struct mm_walk *walk, unsigned long addr, > return -EBUSY; > } else if (IS_ENABLED(CONFIG_ARCH_HAS_PTE_SPECIAL) && pte_special(pte)) { > *pfn = range->values[HMM_PFN_SPECIAL]; > - return -EFAULT; > + return is_zero_pfn(pte_pfn(pte)) ? 0 : -EFAULT; Any chance to just use a normal if here: if (!is_zero_pfn(pte_pfn(pte))) return -EFAULT; return 0;

...t/net.c @@ -1104,13 +1104,12 @@ static int vhost_net_set_features(struct vhost_net *n, u64 features) } mutex_lock(&n->dev.mutex); if ((features & (1 << VHOST_F_LOG_ALL)) && - !vhost_log_access_ok(&n->dev)) { - mutex_unlock(&n->dev.mutex); - return -EFAULT; - } + !vhost_log_access_ok(&n->dev)) + goto out_unlock; + if ((features & (1ULL << VIRTIO_F_IOMMU_PLATFORM))) { if (vhost_init_device_iotlb(&n->dev, true)) - return -EFAULT; + goto out_unlock; } for (i = 0; i < VHOST_NET_VQ_MAX; ++i) { @@ -1122,6 +112...

...t/net.c @@ -1104,13 +1104,12 @@ static int vhost_net_set_features(struct vhost_net *n, u64 features) } mutex_lock(&n->dev.mutex); if ((features & (1 << VHOST_F_LOG_ALL)) && - !vhost_log_access_ok(&n->dev)) { - mutex_unlock(&n->dev.mutex); - return -EFAULT; - } + !vhost_log_access_ok(&n->dev)) + goto out_unlock; + if ((features & (1ULL << VIRTIO_F_IOMMU_PLATFORM))) { if (vhost_init_device_iotlb(&n->dev, true)) - return -EFAULT; + goto out_unlock; } for (i = 0; i < VHOST_NET_VQ_MAX; ++i) { @@ -1122,6 +112...

...ct vhost_virtqueue *vq, > > start = vq->last_used_idx & (vq->num - 1); > used = vq->used->ring + start; > - if (count == 1) { > - if (vhost_put_user(vq, heads[0].id, &used->id)) { > - vq_err(vq, "Failed to write used id"); > - return -EFAULT; > - } > - if (vhost_put_user(vq, heads[0].len, &used->len)) { > - vq_err(vq, "Failed to write used len"); > - return -EFAULT; > - } > - } else if (vhost_copy_to_user(vq, used, heads, count * sizeof *used)) { > + if (vhost_copy_to_user(vq, used, heads, c...

...SE: >>> s.index = idx; >>> s.num = vq->last_avail_idx; >>> + if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) >>> + s.num |= vq->last_avail_wrap_counter << 31; >>> + if (copy_to_user(argp, &s, sizeof(s))) >>> + r = -EFAULT; >>> + break; >>> + case VHOST_SET_VRING_USED_BASE: >>> + /* Moving base with an active backend? >>> + * You don't want to do that. >>> + */ >>> + if (vq->private_data) { >>> + r = -EBUSY; >>> + break; >&gt...

...SE: >>> s.index = idx; >>> s.num = vq->last_avail_idx; >>> + if (vhost_has_feature(vq, VIRTIO_F_RING_PACKED)) >>> + s.num |= vq->last_avail_wrap_counter << 31; >>> + if (copy_to_user(argp, &s, sizeof(s))) >>> + r = -EFAULT; >>> + break; >>> + case VHOST_SET_VRING_USED_BASE: >>> + /* Moving base with an active backend? >>> + * You don't want to do that. >>> + */ >>> + if (vq->private_data) { >>> + r = -EBUSY; >>> + break; >&gt...

...ting core files. This will stop this attack, and all similar such attacks. Here's the patch for freebsd-current: *** kern/imgact_elf.c 1999/07/09 19:10:14 1.61 --- kern/imgact_elf.c 1999/08/26 17:32:48 1.62 *************** *** 722,729 **** if (name == NULL) return (EFAULT); /* XXX -- not the best error */ ! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p); ! error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR); free(name, M_TEMP); if (error) return (error); --- 722,729 ---- if (name == NULL) return (EFAULT); /...

...tions can run concurrently (please see call sequence below), > and possibly, there is a race on dev->iotlb. > If the switch occurs right after vhost_dev_cleanup() frees > dev->iotlb, vhost_process_iotlb_msg() still sees the non-null value and it > keep executing without returning -EFAULT. Consequently, use-after-free > occures > > > Thread interleaving: > CPU0 (vhost_process_iotlb_msg) CPU1 (vhost_dev_cleanup) > (In the case of both VHOST_IOTLB_UPDATE and > VHOST_IOTLB_INVALIDATE) > ===== ===== > vhost_umem_clean(dev->iotlb); > if (!...