DSAN warnings suggest invalid page accesses in prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c

Discussion in 'Linux Virtual Machine' started by JohnB77, Jul 4, 2024.

  1. JohnB77

    JohnB77 Bit poster

    Messages:
    1
    Getting the following DSAN errors,
    Code:
    [    0.300325] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:83:10
    [    0.300327] index 0 is out of range for type 'page *[*]'
    [    0.300396] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:84:3
    [    0.300397] index 0 is out of range for type 'page *[*]'
    [    0.300448] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:86:10
    [    0.300449] index 0 is out of range for type 'page *[*]'
    [    0.300516] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:245:4
    [    0.300517] index 0 is out of range for type 'page *[*]'
    [    8.065926] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:143:21
    [    8.065929] index 0 is out of range for type 'page *[*]'
    [    8.065983] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:242:25
    [    8.065984] index 0 is out of range for type 'page *[*]'
    
    Checking the Parallels Tools module source, it does look like there's an error where loops start from 0, which cause attempting to act on index 0 on a index of pages.

    ie, prltg_call.c:84:3 and 86:10 refer to this loop
    Code:
            for (i = 0; i < count; i++, mem += PAGE_SIZE, uple->count++) {
                    dma_addr_t addr;
    
                    uple->p[i] = vmalloc_to_page(mem);
                    page_cache_get(uple->p[i]);
    
                    addr = dma_map_page(prl_tg_get_device_from_pci_device(pdev), uple->p[i], 0, PAGE_SIZE,
                                        DMA_BIDIRECTIONAL);
                    dst->RequestPages[i] = dma_addr_to_pfn(addr);
                    if (!dst->RequestPages[i]) {
                            page_cache_release(uple->p[i]);
                            goto err;
                    }
            }
    
    This *might* be introducing access to unauthorised pages, so should probably be audited to make sure it is not a security hole, and is correct behaviour.
     
    Johan11 likes this.
  2. Johan11

    Johan11

    Messages:
    3

Share This Page