Replace copy_from_user and memdup_user with safe memory copies.

Taogle2018 · Taogle2018 · commit 77af9157a8ba · 2024-04-01T18:50:12.000-07:00
This implementation will validate the size of copying against the
maximum size of input buffer supplied by Windows.

Change-Id: I1df0766b4e37415c12f42da57342c86f338c55b8
diff --git a/aehd_main.c b/aehd_main.c
@@ -64,6 +64,33 @@ int aehdUpdateReturnBuffer(PIRP pIrp, u32 start, void *src, u32 size)
 	return 0;
 }
 
+int aehdCopyInputBuffer(PIRP pIrp, u32 start, void* dst, u32 size)
+{
+	PIO_STACK_LOCATION pIoStack = IoGetCurrentIrpStackLocation(pIrp);
+	unsigned char* pBuff = pIrp->AssociatedIrp.SystemBuffer;
+	u32 buffSize = pIoStack->Parameters.DeviceIoControl.InputBufferLength;
+
+	if (((u64)start + (u64)size) > buffSize)
+		return -E2BIG;
+
+	RtlCopyBytes(dst, pBuff + start, size);
+	return 0;
+}
+
+void* aehdMemdupUser(PIRP pIrp, u32 start, u32 size)
+{
+	void* buf = kzalloc(size, GFP_KERNEL);
+	if (!buf)
+		return ERR_PTR(-ENOMEM);
+
+	if (aehdCopyInputBuffer(pIrp, start, buf, size)) {
+		kfree(buf);
+		return ERR_PTR(-EFAULT);
+
+	}
+	return buf;
+}
+
 VOID NTAPI aehdWaitSuspend(
 	_In_ PKAPC Apc,
 	_Inout_ PKNORMAL_ROUTINE* NormalRoutine,
diff --git a/aehd_main.h b/aehd_main.h
@@ -29,6 +29,9 @@ struct aehd_device_extension {
 extern PVOID pZeroPage;
 
 extern int aehdUpdateReturnBuffer(PIRP pIrp, u32 start, void *src, u32 size);
+extern int aehdCopyInputBuffer(PIRP pIrp, u32 start, void* dst, u32 size);
+extern void* aehdMemdupUser(PIRP pIrp, u32 start, u32 size);
+
 extern void aehdWaitSuspend(
 	_In_ PKAPC Apc,
 	_Inout_ PKNORMAL_ROUTINE* NormalRoutine,
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
@@ -164,7 +164,7 @@ int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu)
 	return 36;
 }
 
-int kvm_vcpu_ioctl_set_cpuid(struct kvm_vcpu *vcpu,
+int kvm_vcpu_ioctl_set_cpuid(PIRP pIrp, struct kvm_vcpu *vcpu,
 			      struct kvm_cpuid *cpuid,
 			      struct kvm_cpuid_entry __user *entries)
 {
@@ -174,7 +174,7 @@ int kvm_vcpu_ioctl_set_cpuid(struct kvm_vcpu *vcpu,
 	if (cpuid->nent > AEHD_MAX_CPUID_ENTRIES)
 		goto out;
 	r = -EFAULT;
-	if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
+	if (aehdCopyInputBuffer(pIrp, sizeof(cpuid), &vcpu->arch.cpuid_entries,
 			   cpuid->nent * sizeof(struct kvm_cpuid_entry)))
 		goto out;
 	vcpu->arch.cpuid_nent = cpuid->nent;
@@ -594,7 +594,7 @@ static bool is_centaur_cpu(const struct kvm_cpuid_param *param)
 	return 0;
 }
 
-static bool sanity_check_entries(struct kvm_cpuid_entry __user *entries,
+static bool sanity_check_entries(PIRP pIrp, struct kvm_cpuid_entry __user *entries,
 				 __u32 num_entries, unsigned int ioctl_type)
 {
 	int i;
@@ -612,7 +612,9 @@ static bool sanity_check_entries(struct kvm_cpuid_entry __user *entries,
 	 * sheds a tear.
 	 */
 	for (i = 0; i < num_entries; i++) {
-		if (copy_from_user(pad, entries[i].padding, sizeof(pad)))
+		u32 start = sizeof(struct kvm_cpuid) + i * sizeof(struct kvm_cpuid_entry)
+					+ offsetof(struct kvm_cpuid_entry, padding);
+		if (aehdCopyInputBuffer(pIrp, start, pad, sizeof(pad)))
 			return true;
 
 		if (pad[0] || pad[1] || pad[2])
@@ -639,7 +641,7 @@ int kvm_dev_ioctl_get_cpuid(PIRP pIrp, struct kvm_cpuid *cpuid,
 	if (cpuid->nent > AEHD_MAX_CPUID_ENTRIES)
 		cpuid->nent = AEHD_MAX_CPUID_ENTRIES;
 
-	if (sanity_check_entries(entries, cpuid->nent, type))
+	if (sanity_check_entries(pIrp, entries, cpuid->nent, type))
 		return -EINVAL;
 
 	r = -ENOMEM;
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
@@ -17,12 +17,9 @@ struct kvm_cpuid_entry *kvm_find_cpuid_entry(struct kvm_vcpu *vcpu,
 int kvm_dev_ioctl_get_cpuid(PIRP pIrp, struct kvm_cpuid *cpuid,
 			    struct kvm_cpuid_entry __user *entries,
 			    unsigned int type);
-int kvm_vcpu_ioctl_set_cpuid(struct kvm_vcpu *vcpu,
+int kvm_vcpu_ioctl_set_cpuid(PIRP Irp, struct kvm_vcpu *vcpu,
 			     struct kvm_cpuid *cpuid,
 			     struct kvm_cpuid_entry __user *entries);
-int kvm_vcpu_ioctl_set_cpuid(struct kvm_vcpu *vcpu,
-			      struct kvm_cpuid *cpuid,
-			      struct kvm_cpuid_entry __user *entries);
 int kvm_vcpu_ioctl_get_cpuid(struct kvm_vcpu *vcpu,
 			      struct kvm_cpuid *cpuid,
 			      struct kvm_cpuid_entry __user *entries);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
@@ -1236,15 +1236,15 @@ static int msr_io(PIRP pIrp, struct kvm_vcpu *vcpu,
 	unsigned size;
 
 	r = -EFAULT;
-	if (copy_from_user(&msrs, user_msrs, sizeof msrs))
+	if (aehdCopyInputBuffer(pIrp, 0, &msrs, sizeof msrs))
 		goto out;
 
 	r = -E2BIG;
 	if (msrs.nmsrs >= MAX_IO_MSRS)
 		goto out;
 
 	size = sizeof(struct kvm_msr_entry) * msrs.nmsrs;
-	entries = memdup_user(user_msrs->entries, size);
+	entries = aehdMemdupUser(pIrp, sizeof(msrs), size);
 	if (IS_ERR(entries)) {
 		r = PTR_ERR(entries);
 		goto out;
@@ -1377,7 +1377,7 @@ long kvm_arch_dev_ioctl(struct aehd_device_extension *devext,
 		struct kvm_cpuid cpuid;
 
 		r = -EFAULT;
-		if (copy_from_user(&cpuid, cpuid_arg, sizeof cpuid))
+		if (aehdCopyInputBuffer(pIrp, 0, &cpuid, sizeof cpuid))
 			goto out;
 
 		r = kvm_dev_ioctl_get_cpuid(pIrp, &cpuid, cpuid_arg->entries,
@@ -1876,7 +1876,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		r = -EINVAL;
 		if (!lapic_in_kernel(vcpu))
 			goto out;
-		u.lapic = memdup_user(argp, sizeof(*u.lapic));
+		u.lapic = aehdMemdupUser(pIrp, 0, sizeof(*u.lapic));
 		if (IS_ERR(u.lapic))
 			return PTR_ERR(u.lapic);
 
@@ -1887,7 +1887,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		struct kvm_interrupt irq;
 
 		r = -EFAULT;
-		if (copy_from_user(&irq, argp, sizeof irq))
+		if (aehdCopyInputBuffer(pIrp, 0, &irq, sizeof irq))
 			goto out;
 		r = kvm_vcpu_ioctl_interrupt(vcpu, &irq);
 		break;
@@ -1905,9 +1905,10 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		struct kvm_cpuid cpuid;
 
 		r = -EFAULT;
-		if (copy_from_user(&cpuid, cpuid_arg, sizeof cpuid))
+		if (aehdCopyInputBuffer(pIrp, 0, &cpuid, sizeof cpuid))
 			goto out;
-		r = kvm_vcpu_ioctl_set_cpuid(vcpu, &cpuid,
+
+		r = kvm_vcpu_ioctl_set_cpuid(pIrp, vcpu, &cpuid,
 					      cpuid_arg->entries);
 		break;
 	}
@@ -1916,7 +1917,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		struct kvm_cpuid cpuid;
 
 		r = -EFAULT;
-		if (copy_from_user(&cpuid, cpuid_arg, sizeof cpuid))
+		if (aehdCopyInputBuffer(pIrp, 0, &cpuid, sizeof cpuid))
 			goto out;
 		r = kvm_vcpu_ioctl_get_cpuid(vcpu, &cpuid,
 					      cpuid_arg->entries);
@@ -1939,7 +1940,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		struct kvm_tpr_access_ctl tac;
 
 		r = -EFAULT;
-		if (copy_from_user(&tac, argp, sizeof tac))
+		if (aehdCopyInputBuffer(pIrp, 0, &tac, sizeof tac))
 			goto out;
 		r = vcpu_ioctl_tpr_access_reporting(vcpu, &tac);
 		if (r)
@@ -1955,7 +1956,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		if (!lapic_in_kernel(vcpu))
 			goto out;
 		r = -EFAULT;
-		if (copy_from_user(&va, argp, sizeof va))
+		if (aehdCopyInputBuffer(pIrp, 0, &va, sizeof va))
 			goto out;
 		idx = srcu_read_lock(&vcpu->kvm->srcu);
 		r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
@@ -1975,7 +1976,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		struct kvm_vcpu_events events;
 
 		r = -EFAULT;
-		if (copy_from_user(&events, argp, sizeof(struct kvm_vcpu_events)))
+		if (aehdCopyInputBuffer(pIrp, 0, &events, sizeof(struct kvm_vcpu_events)))
 			break;
 
 		r = kvm_vcpu_ioctl_x86_set_vcpu_events(vcpu, &events);
@@ -1994,7 +1995,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		struct kvm_debugregs dbgregs;
 
 		r = -EFAULT;
-		if (copy_from_user(&dbgregs, argp,
+		if (aehdCopyInputBuffer(pIrp, 0, &dbgregs,
 				   sizeof(struct kvm_debugregs)))
 			break;
 
@@ -2014,7 +2015,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		break;
 	}
 	case AEHD_SET_XSAVE: {
-		u.xsave = memdup_user(argp, sizeof(*u.xsave));
+		u.xsave = aehdMemdupUser(pIrp, 0, sizeof(*u.xsave));
 		if (IS_ERR(u.xsave))
 			return PTR_ERR(u.xsave);
 
@@ -2034,7 +2035,7 @@ long kvm_arch_vcpu_ioctl(struct aehd_device_extension *devext,
 		break;
 	}
 	case AEHD_SET_XCRS: {
-		u.xcrs = memdup_user(argp, sizeof(*u.xcrs));
+		u.xcrs = aehdMemdupUser(pIrp, 0, sizeof(*u.xcrs));
 		if (IS_ERR(u.xcrs))
 			return PTR_ERR(u.xcrs);
 
@@ -2295,7 +2296,7 @@ long kvm_arch_vm_ioctl(struct aehd_device_extension *devext,
 		/* 0: PIC master, 1: PIC slave, 2: IOAPIC */
 		struct kvm_irqchip *chip;
 
-		chip = memdup_user(argp, sizeof(*chip));
+		chip = aehdMemdupUser(pIrp, 0, sizeof(*chip));
 		if (IS_ERR(chip)) {
 			r = PTR_ERR(chip);
 			goto out;
@@ -2316,7 +2317,7 @@ long kvm_arch_vm_ioctl(struct aehd_device_extension *devext,
 		/* 0: PIC master, 1: PIC slave, 2: IOAPIC */
 		struct kvm_irqchip *chip;
 
-		chip = memdup_user(argp, sizeof(*chip));
+		chip = aehdMemdupUser(pIrp, 0, sizeof(*chip));
 		if (IS_ERR(chip)) {
 			r = PTR_ERR(chip);
 			goto out;
@@ -2346,7 +2347,7 @@ long kvm_arch_vm_ioctl(struct aehd_device_extension *devext,
 		struct kvm_enable_cap cap;
 
 		r = -EFAULT;
-		if (copy_from_user(&cap, argp, sizeof(cap)))
+		if (aehdCopyInputBuffer(pIrp, 0, &cap, sizeof(cap)))
 			goto out;
 		r = kvm_vm_ioctl_enable_cap(kvm, &cap);
 		break;
diff --git a/ntkrutils.h b/ntkrutils.h
@@ -949,18 +949,6 @@ static __inline void kvm_release_page(PMDL mdl)
 	IoFreeMdl(mdl);
 }
 
-/* We actually did not copy from *user* here. This function in kvm is used to
- * ioctl parameters. On Windows, we always use buffered io for device control.
- * Thus the address supplied to copy_from_user is address in kernel space.
- * Simple keep the function name here.
- * __copy_from/to_user is really copying from user space.
- */
-static __inline size_t copy_from_user(void *dst, const void *src, size_t size)
-{
-	memcpy(dst, src, size);
-	return 0;
-}
-
 static __inline size_t __copy_user_safe(void *dst, const void *src, size_t size,
 	       int from)
 {
@@ -1064,17 +1052,6 @@ static __inline void kunmap_atomic(PMDL mdl)
 	kunmap(mdl);
 }
 
-static __inline void *memdup_user(const void *user, size_t size)
-{
-	void *buf = kzalloc(size, GFP_KERNEL);
-
-	if (!buf)
-		return ERR_PTR(-ENOMEM);
-	if (copy_from_user(buf, user, size))
-		return ERR_PTR(-EFAULT);
-	return buf;
-}
-
 /*
  TSC
  */
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
@@ -1891,7 +1891,6 @@ NTSTATUS kvm_vcpu_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 {
 	struct aehd_device_extension *devext = pDevObj->DeviceExtension;
 	struct kvm_vcpu *vcpu = devext->PrivData;
-	void __user *argp = (void __user *)pIrp->AssociatedIrp.SystemBuffer;
 	int r;
 	struct kvm_fpu *fpu = NULL;
 	struct kvm_sregs *kvm_sregs = NULL;
@@ -1941,7 +1940,7 @@ NTSTATUS kvm_vcpu_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		struct kvm_regs *kvm_regs;
 
 		r = -ENOMEM;
-		kvm_regs = memdup_user(argp, sizeof(*kvm_regs));
+		kvm_regs = aehdMemdupUser(pIrp, 0, sizeof(*kvm_regs));
 		if (IS_ERR(kvm_regs)) {
 			r = PTR_ERR(kvm_regs);
 			goto out;
@@ -1965,7 +1964,7 @@ NTSTATUS kvm_vcpu_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		break;
 	}
 	case AEHD_SET_SREGS: {
-		kvm_sregs = memdup_user(argp, sizeof(*kvm_sregs));
+		kvm_sregs = aehdMemdupUser(pIrp, 0, sizeof(*kvm_sregs));
 		if (IS_ERR(kvm_sregs)) {
 			r = PTR_ERR(kvm_sregs);
 			kvm_sregs = NULL;
@@ -1987,7 +1986,7 @@ NTSTATUS kvm_vcpu_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		struct kvm_mp_state mp_state;
 
 		r = -EFAULT;
-		if (copy_from_user(&mp_state, argp, sizeof(mp_state)))
+		if (aehdCopyInputBuffer(pIrp, 0, &mp_state, sizeof(mp_state)))
 			goto out;
 		r = kvm_arch_vcpu_ioctl_set_mpstate(vcpu, &mp_state);
 		break;
@@ -1996,7 +1995,7 @@ NTSTATUS kvm_vcpu_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		struct kvm_translation tr;
 
 		r = -EFAULT;
-		if (copy_from_user(&tr, argp, sizeof(tr)))
+		if (aehdCopyInputBuffer(pIrp, 0, &tr, sizeof(tr)))
 			goto out;
 		r = kvm_arch_vcpu_ioctl_translate(vcpu, &tr);
 		if (r)
@@ -2008,7 +2007,7 @@ NTSTATUS kvm_vcpu_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		struct kvm_guest_debug dbg;
 
 		r = -EFAULT;
-		if (copy_from_user(&dbg, argp, sizeof(dbg)))
+		if (aehdCopyInputBuffer(pIrp, 0, &dbg, sizeof(dbg)))
 			goto out;
 		r = kvm_arch_vcpu_ioctl_set_guest_debug(vcpu, &dbg);
 		break;
@@ -2025,7 +2024,7 @@ NTSTATUS kvm_vcpu_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		break;
 	}
 	case AEHD_SET_FPU: {
-		fpu = memdup_user(argp, sizeof(*fpu));
+		fpu = aehdMemdupUser(pIrp, 0, sizeof(*fpu));
 		if (IS_ERR(fpu)) {
 			r = PTR_ERR(fpu);
 			fpu = NULL;
@@ -2089,7 +2088,7 @@ NTSTATUS kvm_vm_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		struct kvm_dirty_log log;
 
 		r = -EFAULT;
-		if (copy_from_user(&log, argp, sizeof(log)))
+		if (aehdCopyInputBuffer(pIrp, 0, &log, sizeof(log)))
 			goto out;
 		r = kvm_vm_ioctl_get_dirty_log(kvm, &log);
 		break;
@@ -2112,7 +2111,7 @@ NTSTATUS kvm_vm_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		struct kvm_irq_level irq_event;
 
 		r = -EFAULT;
-		if (copy_from_user(&irq_event, argp, sizeof(irq_event)))
+		if (aehdCopyInputBuffer(pIrp, 0, &irq_event, sizeof(irq_event)))
 			goto out;
 
 		r = kvm_vm_ioctl_irq_line(kvm, &irq_event, true);
@@ -2135,7 +2134,7 @@ NTSTATUS kvm_vm_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 		struct kvm_irq_routing_entry *entries = NULL;
 
 		r = -EFAULT;
-		if (copy_from_user(&routing, argp, sizeof(routing)))
+		if (aehdCopyInputBuffer(pIrp, 0, &routing, sizeof(routing)))
 			goto out;
 		r = -EINVAL;
 		if (routing.nr > AEHD_MAX_IRQ_ROUTES)
@@ -2149,7 +2148,7 @@ NTSTATUS kvm_vm_ioctl(PDEVICE_OBJECT pDevObj, PIRP pIrp,
 				goto out;
 			r = -EFAULT;
 			urouting = argp;
-			if (copy_from_user(entries, urouting->entries,
+			if (aehdCopyInputBuffer(pIrp, offsetof(struct kvm_irq_routing, entries), entries,
 					   routing.nr * sizeof(*entries)))
 				goto out_free_irq_routing;
 		}
