From patchwork Thu Jan 19 13:57:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Shishkin X-Patchwork-Id: 46129 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp9237wrn; Thu, 19 Jan 2023 20:37:08 -0800 (PST) X-Google-Smtp-Source: AMrXdXt54PTzTYUurLadhXiGSqtF/5gzzsV5vUbuX1ZuZ7MyooOuBMUBDTq1crnsLlHwrkiV4rg+ X-Received: by 2002:a17:90b:392:b0:223:f4e9:b22b with SMTP id ga18-20020a17090b039200b00223f4e9b22bmr14044726pjb.41.1674189427903; Thu, 19 Jan 2023 20:37:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674189427; cv=none; d=google.com; s=arc-20160816; b=GTA07D/2aOQjBrp1wSyuBuIH4d6NNicVHX214oS5WnBG6qaOxqz5EwaN9HIU/EAqhy vIEBsTG30a6MnaAXaxSQmtlDzsS15jMjwaSFfv7yGPZYGcmfEmLdkzFJEoSX3DATe2GA As78/yWBdqcAcfgyAs1F/ApvBMj98zzi8+RBrr3r+KnlPr59AfEHlV6DV+SOEE42uVjP cNVFrtkj6yvLEMwAHOM7agtXTQYgDHN1njDPWDW/Xavbmr7E2cXeAsB/RwIGfS038b9a XDo3+hm57xAoKjf/SGOFmwsi+VZ6Sxys1SD/LjKTMsYEJm0ufqlPiHnJwYpQ1pSXpGh0 56Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=lVSU+pfVmuoZ5d/i+9Rn95vuMKS1U8q2mILsQXdSSbQ=; b=EfrKq/wkQp+96hJY4mwMcxroSz0J2wl4eDVKdS8ZPaj+opTIum+M4AOdkUcS0wV37+ u4R0i8qZORzwCUC30XhJcgcgqvAndCf+MctvDEvmsFRoAlDETmcFgw1yEldszCPFfrjN bUC5iF8/i/OFjKNYNqZX3EonsaT/U2NuJuvat+TbYsciSTXU0023OmSCHKH30qV7rj2N DQgnlNVnmkk/MT1PNFF7MhzWy+JxwN4e4vQiOpg4xmG67TVchYTiIXUEXYElypX3hMqi lA+ccDUhOrf9v3Vc4k+kDPD4WaTNDoe7NBI/n//G6b6M7goaK70RT/JTrOxPsukMA5Zz cVnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ak1dukcs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f36-20020a17090a702700b00219044e1bbdsi1271860pjk.25.2023.01.19.20.36.56; Thu, 19 Jan 2023 20:37:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ak1dukcs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230209AbjATEgc (ORCPT + 99 others); Thu, 19 Jan 2023 23:36:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229982AbjATEgC (ORCPT ); Thu, 19 Jan 2023 23:36:02 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52DD9BC8B2 for ; Thu, 19 Jan 2023 20:33:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674189238; x=1705725238; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=rYq6vhVbEN0C0wtg/aG1JBfgnzFIZAFF2Xt8UqDJh9o=; b=ak1dukcsXVxzzzj/T9FTs9vDePHlwIZ8xVA+GpPqUekQLimUrP/qinSM GUvPmSkIUHZ5TuYenTVb5Z8P9Qvm7FSjKm/o9nLfY7DqVFKlaZ0RZxJLs w6vs0SiMcFeynBT7xOOB/XjzFsrfIkyH8BYCszk/+q9YXu6HtBWy2+UV6 XWqDUZU8EYabuHuWF4pYHmAMo79ZwhnnQ4A1WM34/2TINkapXJp9JE/Kf kF3uaY4ksEA/kntzUMoklgR6HmshZTAqusoidW8haNQWaN/hh8kdAezmx SKuTZc4VILdmaa6GrXw7vf0ZFYwUcYaBESQRZs1rGUG0eoOhlLpLSYLya w==; X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="411526091" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="411526091" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 05:57:06 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993908" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993908" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:03 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Andi Kleen , Alexander Shishkin , Amit Shah , Arnd Bergmann , Greg Kroah-Hartman Subject: [PATCH v1 1/6] virtio console: Harden multiport against invalid host input Date: Thu, 19 Jan 2023 15:57:16 +0200 Message-Id: <20230119135721.83345-2-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755464708001202374?= X-GMAIL-MSGID: =?utf-8?q?1755514853449626561?= From: Andi Kleen It's possible for the host to set the multiport flag, but pass in 0 multiports, which results in: BUG: KASAN: slab-out-of-bounds in init_vqs+0x244/0x6c0 drivers/char/virtio_console.c:1878 Write of size 8 at addr ffff888001cc24a0 by task swapper/1 CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0-rc1-140273-gaab0bb9fbaa1-dirty #588 Call Trace: init_vqs+0x244/0x6c0 drivers/char/virtio_console.c:1878 virtcons_probe+0x1a3/0x5b0 drivers/char/virtio_console.c:2042 virtio_dev_probe+0x2b9/0x500 drivers/virtio/virtio.c:263 call_driver_probe drivers/base/dd.c:515 really_probe+0x1c9/0x5b0 drivers/base/dd.c:601 really_probe_debug drivers/base/dd.c:694 __driver_probe_device+0x10d/0x1f0 drivers/base/dd.c:754 driver_probe_device+0x68/0x150 drivers/base/dd.c:786 __driver_attach+0xca/0x200 drivers/base/dd.c:1145 bus_for_each_dev+0x108/0x190 drivers/base/bus.c:301 driver_attach+0x30/0x40 drivers/base/dd.c:1162 bus_add_driver+0x325/0x3c0 drivers/base/bus.c:618 driver_register+0xf3/0x1d0 drivers/base/driver.c:171 ... Add a suitable sanity check. Signed-off-by: Andi Kleen Signed-off-by: Alexander Shishkin Cc: Amit Shah Cc: Arnd Bergmann Cc: Greg Kroah-Hartman --- drivers/char/virtio_console.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 6a821118d553..f4fd5fe7cd3a 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1843,6 +1843,9 @@ static int init_vqs(struct ports_device *portdev) int err; nr_ports = portdev->max_nr_ports; + if (use_multiport(portdev) && nr_ports < 1) + return -EINVAL; + nr_queues = use_multiport(portdev) ? (nr_ports + 1) * 2 : 2; vqs = kmalloc_array(nr_queues, sizeof(struct virtqueue *), GFP_KERNEL); From patchwork Thu Jan 19 13:57:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Shishkin X-Patchwork-Id: 46130 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp9285wrn; Thu, 19 Jan 2023 20:37:20 -0800 (PST) X-Google-Smtp-Source: AMrXdXtYSqUZZtdrrqmls89fVl9P9Zj2xBJNuWq9E3mwXXU2ywPnIh7GEGoKY3idg5j8z/JWbyd9 X-Received: by 2002:a05:6a21:9189:b0:b5:ce03:6548 with SMTP id tp9-20020a056a21918900b000b5ce036548mr15031112pzb.58.1674189440369; Thu, 19 Jan 2023 20:37:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674189440; cv=none; d=google.com; s=arc-20160816; b=kq1++aHPq6vVGUPS6My2wHTLWhmqQVvruCphRxlybDq2EtsC06RHeI1A8dORRi1DTP WwJpG6WOKH/CJgPO4mL5/vpaVvvx+3sgNKo322VLgZFfA5guwoqXAFhvPPcdsw/knQTA ZvIxhLLltrdsszpf+YhJEXnzHc24IcS41grHRd4tyfnZSNPTEJ90hADgGeR4ux7QuNIl rUgOPM/hE8kvmIG99Eceg6R1Jv4FYtHkPlD/mXEh7ouZf1c8MMMILt/gt4hsX3kRB+RR AB6DsP/tYKtbYNHCwASohkWlO2JIkczwhQTdUdgZ7W2geOUm/YMd3K1tMfqDfyRdKdy9 MXQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=RnqjcVnvz4RjFpJJmYtHRYk8X2HBXSi1U/qjV5hqbTo=; b=MJVowRoCD0jM3Zhj2fbrD4Xr4GG5XrtjyWjR4lah2pZW5qlfi63pLmm0T/59IynFwC NqB9A7G3g6Z73kLQhjuGeEbAxE48nU9znbS53Nf8tkf8MggK8xbQxNxXJYELqXhCSaAj ehfMoIMDxOEybQazEIItAo6SZXc3Vo9995HGBRzg+J9/ngAo2KMpJ0hrtnoQ3i3Hgzsl AC+b0kZVfZmc8oWoXkp6bbmPwmCqYk28pHPV0KIQF1OXw/wJ7sOnVCrLGlR7+n0XM8F3 Gwmqx8tUR1FdkM+cCfCtijqKpTR6puVw9mh53+qg8d0YPtQp9I/uMNssO9mTcGxZReKL VZIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="a/IFoQ0D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o25-20020a635a19000000b004aef9c39bb5si36521983pgb.393.2023.01.19.20.37.08; Thu, 19 Jan 2023 20:37:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="a/IFoQ0D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230215AbjATEgf (ORCPT + 99 others); Thu, 19 Jan 2023 23:36:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229991AbjATEgD (ORCPT ); Thu, 19 Jan 2023 23:36:03 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73E54C13E1 for ; Thu, 19 Jan 2023 20:33:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674189238; x=1705725238; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=s0MLNXyh3mQKki8IqbR9mf6okk8J+XoJLrOwzthuHvM=; b=a/IFoQ0DKbYNsYnpzHz8EzqWL3CwX22sWNu89nIbaDyoiBCUJhU9uQbq tunBQNifxpRXmAUqxKo65dkYJzI6NVFo/I3A6bbOKzTk5Q7nD5J64o4PE DnIXJT16B5KkEfs4KlSCXhEc2wqvwuKQBT3kBR6G5qn6OMueQUbtToEi4 M47c5UHViIbpIoUZ4/BKDf0+rhb1DT0KWdq5W2+L3gX1zODwd+70Czo7Y 6FhJ6tOmDxUVJXfWs9rNn+ipdQbD4+sGSKSFWPNBdneBamtw0eVhS4Ott j8v3DCvyWCc5dAJEmlCVLAAPExfjOPob2rzMAjmyZWPSMJU6V6ISN96Qi w==; X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="411526113" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="411526113" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 05:57:09 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993915" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993915" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:06 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Andi Kleen , Alexander Shishkin , Amit Shah , Arnd Bergmann , Greg Kroah-Hartman Subject: [PATCH v1 2/6] virtio console: Harden port adding Date: Thu, 19 Jan 2023 15:57:17 +0200 Message-Id: <20230119135721.83345-3-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755465518283737002?= X-GMAIL-MSGID: =?utf-8?q?1755514866754087853?= From: Andi Kleen The ADD_PORT operation reads and sanity checks the port id multiple times from the untrusted host. This is not safe because a malicious host could change it between reads. Read the port id only once and cache it for subsequent uses. Signed-off-by: Andi Kleen Signed-off-by: Alexander Shishkin Cc: Amit Shah Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Reviewed-by: Greg Kroah-Hartman --- drivers/char/virtio_console.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index f4fd5fe7cd3a..6599c2956ba4 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1563,10 +1563,13 @@ static void handle_control_message(struct virtio_device *vdev, struct port *port; size_t name_size; int err; + unsigned id; cpkt = (struct virtio_console_control *)(buf->buf + buf->offset); - port = find_port_by_id(portdev, virtio32_to_cpu(vdev, cpkt->id)); + /* Make sure the host cannot change id under us */ + id = virtio32_to_cpu(vdev, READ_ONCE(cpkt->id)); + port = find_port_by_id(portdev, id); if (!port && cpkt->event != cpu_to_virtio16(vdev, VIRTIO_CONSOLE_PORT_ADD)) { /* No valid header at start of buffer. Drop it. */ @@ -1583,15 +1586,14 @@ static void handle_control_message(struct virtio_device *vdev, send_control_msg(port, VIRTIO_CONSOLE_PORT_READY, 1); break; } - if (virtio32_to_cpu(vdev, cpkt->id) >= - portdev->max_nr_ports) { + if (id >= portdev->max_nr_ports) { dev_warn(&portdev->vdev->dev, "Request for adding port with " "out-of-bound id %u, max. supported id: %u\n", cpkt->id, portdev->max_nr_ports - 1); break; } - add_port(portdev, virtio32_to_cpu(vdev, cpkt->id)); + add_port(portdev, id); break; case VIRTIO_CONSOLE_PORT_REMOVE: unplug_port(port); From patchwork Thu Jan 19 13:57:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Shishkin X-Patchwork-Id: 45894 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp479986wrn; Thu, 19 Jan 2023 10:29:40 -0800 (PST) X-Google-Smtp-Source: AMrXdXvKdRnZkBc2APoas746Va+D1P9ctTCJVRvl5oEOWJHMq8uLgmz7LOGW7ilkQqU8zbrS7Gt7 X-Received: by 2002:a17:90a:b107:b0:219:dc24:7595 with SMTP id z7-20020a17090ab10700b00219dc247595mr12215946pjq.19.1674152979929; Thu, 19 Jan 2023 10:29:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674152979; cv=none; d=google.com; s=arc-20160816; b=msmBvjBkhBsO/RrQM2h+6gaipjHLBfOLceC4skMSDN8SD+EQZBnqz0DVRhxIyIjVpL +Q2AjqxQFQsiHVA8VK5uvOQqhzTYhecsnEL1CaWiqo0vnjwKKTFWtQcIP1d3kfWLHjNE 8NA/a2qWaZ6hSUuWZasJjbJZcBDKSzwL+58Karc5begE5s8nhIrX9OCRzWQrmHRp2+OU eUXX1rD7l552RfwMl+ft8k7yGVAKhACnPzctFon/yK9gxF60DYXK4PvoKazHg/+UxEb/ u1MOjeQhuDYeCK+37rzbpaOD3kGtfcg3ENn/ESCVtJdzzz4rHnw26KuFWGMgI9/W/0gw x54w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Z5uJA+4443z9Jl492T7hP3sMjNOK1X754DUyK8po9xc=; b=JigvRt4hglxp4DDrMwy+ndczYDUz9cJFH9JtgpC25UXPflnpITI4U41CbdK5SfFVtW nKbX0YJ0hYfvd6fH1Uj+IAtxJAkVKK4PVX7nXCDAyh4QlFuplRrqYg0NV61Qs+lAwfyz S+5JcT7cqR08W2r31tr669w9N+dxEQG7PIyhYJLryUbUyQSgsNXDE6uWw0AXw4o14yOx +DAZEsBMQHnhgloFpzpyHisKMBBuzg2RyXmJXTI8/RtoYl7eNxQwTOCTRRx1Nda3noW/ Lp6j1unRY0cZg2RrigmDJ0BqNaDsj5ED3oT9ZYh0VYoaKl6NNls2Qt7pFQslTtFPR90+ Qraw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=OwSUSMQi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pa17-20020a17090b265100b00225f793ab32si5424627pjb.156.2023.01.19.10.29.24; Thu, 19 Jan 2023 10:29:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=OwSUSMQi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230063AbjASSRA (ORCPT + 99 others); Thu, 19 Jan 2023 13:17:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229895AbjASSQ5 (ORCPT ); Thu, 19 Jan 2023 13:16:57 -0500 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0A954A1F3 for ; Thu, 19 Jan 2023 10:16:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674152216; x=1705688216; h=resent-from:resent-date:resent-message-id:resent-to:from: to:cc:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=fPAfZ1maazfHk0jrppfuINceGDxLy9M8OHmBMIa7oqg=; b=OwSUSMQiGbZ1OvPiqB/irTMmCZZktz/3IQNc8jHTgzPw3RqUFMVza5WP h7+O57pNNA5rRoF4oGYmuGVDwrsAoTD55x0hw4bILyyMyzmWO7VQnpjOc 42ms7NlJ6AJoObf54cvStrV8A84QA8nIPQwWoRTEYyAULeslkE33WkBuc WkgR6g2cR5e6Z5QEfS8l+gQQYDzJB8S5ba2pxOKcg5NW1a2rozxn2BKu7 tiYEnqtuaXPh74VbRfzFc+Sz2Tq9FD7JrUzSyR3GrTKQfx3J+BDWD/gAy 5pX5XFHlhQ42TvCcct9ztW1vp4cV79kqA+BpypzLLpbh6FGukft4KK6NC w==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="305045763" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="305045763" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:16:56 -0800 X-ExtLoopCount2: 2 from 10.237.72.184 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="660295636" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="660295636" Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184]) by orsmga002.jf.intel.com with ESMTP; 19 Jan 2023 10:16:55 -0800 Received: from ash by ubik with local (Exim 4.96) (envelope-from ) id 1pIZSm-00EPOo-1O for linux-kernel@vger.kernel.org; Thu, 19 Jan 2023 20:16:36 +0200 X-Original-To: alexander.shishkin@linux.intel.com Received: from linux.intel.com [10.54.29.200] by ubik.fi.intel.com with IMAP (fetchmail-6.4.29) for (single-drop); Thu, 19 Jan 2023 15:59:05 +0200 (EET) Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id B8D5F580AE0; Thu, 19 Jan 2023 05:57:12 -0800 (PST) X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993922" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993922" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:09 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Andi Kleen , Alexander Shishkin , Christian Schoenebeck , Eric Van Hensbergen , Latchesar Ionkov , Dominique Martinet , v9fs-developer@lists.sourceforge.net Subject: [PATCH v1 3/6] virtio 9p: Fix an overflow Date: Thu, 19 Jan 2023 15:57:18 +0200 Message-Id: <20230119135721.83345-4-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_PASS, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755476634687931836?= X-GMAIL-MSGID: =?utf-8?q?1755476634687931836?= From: Andi Kleen tag_len is read as a u16 from the untrusted host. It could overflow in the memory allocation, which would lead to a too small buffer. Some later loops use it when extended to 32bit, so they could overflow the too small buffer. Make sure to do the arithmetic for the buffer size in 32bit to avoid wrapping. Signed-off-by: Andi Kleen Signed-off-by: Alexander Shishkin Reviewed-by: Christian Schoenebeck Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: v9fs-developer@lists.sourceforge.net --- net/9p/trans_virtio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 3c27ffb781e3..a78e4d80e5ba 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev) err = -EINVAL; goto out_free_vq; } - tag = kzalloc(tag_len + 1, GFP_KERNEL); + tag = kzalloc((u32)tag_len + 1, GFP_KERNEL); if (!tag) { err = -ENOMEM; goto out_free_vq; From patchwork Thu Jan 19 13:57:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Shishkin X-Patchwork-Id: 46131 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp9407wrn; Thu, 19 Jan 2023 20:37:47 -0800 (PST) X-Google-Smtp-Source: AMrXdXuJNxeyB6c4Jp6a/NkDOGIacupo7IuJl25bGj7AOrT03lIsmxfyal2bnbkMNeLExkWFMI6r X-Received: by 2002:a17:90b:2349:b0:226:7fcb:c215 with SMTP id ms9-20020a17090b234900b002267fcbc215mr14418311pjb.17.1674189466891; Thu, 19 Jan 2023 20:37:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674189466; cv=none; d=google.com; s=arc-20160816; b=gdFY1t56dhGF/eDZrk9U92fdLxLKAKof+RaBNzxPFy3GUzTzIK7HLmeDovpUJUY+qw D2U8N+0dDbFoOZxVGmRPQMuUtQiAVxeJktJuCzgtRAjd81fY0uu86bW1wrjl8fHhFE0Q 3YCi8wuFzZoVJfdoBq/mD/TtOy66WDmnuqkmprijPRbdmP/blDs9leR+NXwPaTujqdih VvYxry11qoHc6fNSowCEFb96mIjdu+NcbvKJb0JQ6dwuYmLNxJH7z4moZ1O9ZGqrCcYF IqSAabFpxSVqlEAo6LxZOKcQmvR4QtoZd888uRpgm8avNzgH99m51aRj0VM5/8xvN1i0 uEkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=kiNW0wxavS3S2BFD12ZEflfwOV5nhfRrYLYhnBRD1Bw=; b=BEaMKIpiomhVJrL4Adox6OvU2diXytigw4bJU2Tn5U2cwM6nE+ydvUZTwG12oWuLwY SSgM5B3lv2rsf8qSXV6uCcTpwu80AfxDY1gY+WSViC27bOFOjMH+MuHTAR0JsCU/OyLB /s8VjLjChlmKE9e4EFIhKi5StZX/TeqmS3jIokjEoCk55bUiApXYqVEmzdJShM6l55GH Fiow++QEBMFeFYCU47wJIUT4gviJuQpGXQlYKjA0g3i5e8B0nVcJzLCzxkUnykicuXe6 NUWiWW9hw2/8SPqUw4jFhugynsk3QpxUICqKJzDTKZGq2cXuQI2FaSfUyEgk3Hn1sRL6 kP/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=HvLQulla; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gi20-20020a17090b111400b00228d776291bsi1207015pjb.77.2023.01.19.20.37.34; Thu, 19 Jan 2023 20:37:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=HvLQulla; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230222AbjATEgg (ORCPT + 99 others); Thu, 19 Jan 2023 23:36:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229993AbjATEgD (ORCPT ); Thu, 19 Jan 2023 23:36:03 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C49D7BCE02 for ; Thu, 19 Jan 2023 20:34:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674189241; x=1705725241; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=vkH/geR8Ac3bg/SlAe70kTG4lkCo5fDV5PnPvmhuzPY=; b=HvLQullaSPXwiO1mrkot1EBX5aqFeZLkBT+1VhzzjqnL8pJ6pE89+tPY mcnOipP5GafzlL4o3Vhm2gKpzCy4hCHSe9yrsKL+Srvkrqg5R6Y92vQJl Ah1xDrdQCJigzGQiAMM3yDvfrTwIbCO5n6Rg8g55LAa3e53nvgaO1dIzE 7J3e47MkyEGKBA67QzenUuze0F3lJZs+4gLp6lbUBYCtsO3dgycLxGI0q 8Bzt1UlR78qtnSlX3LVOMkvebxMi7d8RdY1dplG4gd0z1w3GsCRXNTP0A SbwtU5eOpdY10ndbITyOu8Is3JvKGPYFquzRfkHvY18vGsK3UUvqpYe2h g==; X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="411526144" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="411526144" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 05:57:15 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993960" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993960" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:12 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Alexander Shishkin , Amit Shah , Arnd Bergmann , Greg Kroah-Hartman Subject: [PATCH v1 4/6] virtio console: Harden control message handling Date: Thu, 19 Jan 2023 15:57:19 +0200 Message-Id: <20230119135721.83345-5-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755514894223761708?= X-GMAIL-MSGID: =?utf-8?q?1755514894223761708?= In handle_control_message(), we look at the ->event field twice, which gives a malicious VMM a window in which to switch it from PORT_ADD to PORT_REMOVE, triggering a null dereference further down the line: RIP: 0010:spin_lock_irq ./include/linux/spinlock.h:388 RIP: 0010:unplug_port+0x9/0x150 drivers/char/virtio_console.c:1512 Call Trace: handle_control_message+0x108/0x2c0 drivers/char/virtio_console.c:1600 elfcorehdr_read+0x40/0x40 ??:? process_one_work+0x1b4/0x310 kernel/workqueue.c:2297 worker_thread+0x5c/0x3a0 kernel/workqueue.c:2444 kthread+0x120/0x140 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Read the event code once instead, basing all following decisions on the same value. Signed-off-by: Alexander Shishkin Cc: Amit Shah Cc: Arnd Bergmann Cc: Greg Kroah-Hartman --- drivers/char/virtio_console.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 6599c2956ba4..62f69f949cb7 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1563,22 +1563,22 @@ static void handle_control_message(struct virtio_device *vdev, struct port *port; size_t name_size; int err; - unsigned id; + unsigned id, event; cpkt = (struct virtio_console_control *)(buf->buf + buf->offset); - /* Make sure the host cannot change id under us */ + /* Make sure the host cannot change id or event under us */ id = virtio32_to_cpu(vdev, READ_ONCE(cpkt->id)); + event = virtio16_to_cpu(vdev, cpkt->event); port = find_port_by_id(portdev, id); - if (!port && - cpkt->event != cpu_to_virtio16(vdev, VIRTIO_CONSOLE_PORT_ADD)) { + if (!port && event != VIRTIO_CONSOLE_PORT_ADD) { /* No valid header at start of buffer. Drop it. */ dev_dbg(&portdev->vdev->dev, "Invalid index %u in control packet\n", cpkt->id); return; } - switch (virtio16_to_cpu(vdev, cpkt->event)) { + switch (event) { case VIRTIO_CONSOLE_PORT_ADD: if (port) { dev_dbg(&portdev->vdev->dev, From patchwork Thu Jan 19 13:57:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Shishkin X-Patchwork-Id: 45892 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp476507wrn; Thu, 19 Jan 2023 10:20:22 -0800 (PST) X-Google-Smtp-Source: AMrXdXurpUG+/PYh1IIIxu7qoguJW/HIxGhVso/9D3hOn+QykPN+oi9VquTPfv8BFQyzXpTpKIXz X-Received: by 2002:a62:4e0e:0:b0:588:94f3:f564 with SMTP id c14-20020a624e0e000000b0058894f3f564mr12736754pfb.30.1674152422650; Thu, 19 Jan 2023 10:20:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674152422; cv=none; d=google.com; s=arc-20160816; b=xq2AOITokkpQD0768B9CnqhS7wZ8TI91Eb8XRiJhze3i/GB43T/ee75TPyWd0ji5yO BZUTwMI0QzVnrJltrjXt1XcOXCfHYkic6Z/nJc6mXHopTKdMEcG63Q/I+hJk+mDp2qU/ cr+lR7PINuzeto8zniwceTVvMO4FbONpP8DUSGLpmVEIJQ20qSekfti44t7t/mlgNZRT eb//xglBlG5n2bLC6ijOqHybXePDYjg88lghalxbqg0LiIC9PcAylc8yTIGzmWXKv3qd 2db3BZe7KLf1eA+fJJ9IBBYm19Ix/oftjP5n4m3FkTuVeSQ0js7EsPHs4Ozkr4GdoKPA TLRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=dFShzpWwEwG9NB2B3P9MROa6uEkl4Rlvt73pdTo8WqM=; b=ZT7EKMfApfZrUbawPTZ+nj21v5Eid9XXsO2b29L+cU7g/BgpqYtn9H8LHNSFxsKJyl xB61BlXLsZ7UkNPC+W0r+oCTPluTt8RGAXz6Ocf6FfD2ZUf6dgbKy4Pboj3txittBQtS pV0p13Nv7WXCpLpyg6ffmXCPWCwmJD9FTGAl1RCfwv7aPTBqyzfhbZtKDrBLozIB/s2M iKEB2IwXeF2x1e2L+yx2vKikXo/NlaNDcANgOMVAp7O9ef+9WumWj8vbGZGZ5hquUw5C wO48Yyaa/MBXlWS+qkecUrnhBpS+vvELwuOgZya28GdcleJfgZ0goUH7kA8bf0l/z9pi IY+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=bwMRsSVF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a1-20020a056a000c8100b0058d93049868si17016250pfv.310.2023.01.19.10.20.09; Thu, 19 Jan 2023 10:20:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=bwMRsSVF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229917AbjASSRX (ORCPT + 99 others); Thu, 19 Jan 2023 13:17:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230206AbjASSRO (ORCPT ); Thu, 19 Jan 2023 13:17:14 -0500 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 970B193721 for ; Thu, 19 Jan 2023 10:17:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674152230; x=1705688230; h=resent-from:resent-date:resent-message-id:resent-to:from: to:cc:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=UJGdQbNU1p0G34DMECtmIGs9ax802RzLD9JfEvjugQM=; b=bwMRsSVF0KO8ug6TVn2JPlp5S2PutUbXS5Fw11J7gYWFtYBNgZwnojEq oDYhdBM9ReZ/40NNza2SSmwC1E9rsRxh2rmFfVKuXZn5sBV2PEWL79PqB xhqGban8oQCNdrWYzVY771uGlGJumb4kYW8I9vdROyvEu+1cjNW3Qdtl7 GxW88lhkvyiaVrpJyZfFPmmEGasiAoYvK1C0ebyIMiOZnUoFM/X4GmmBW HOZAg6MBNsuMcPcuCu33zeOHPKkxmxlw8oDwy8zyRrtjRhBQQu/x3HAko 4jdt5l3v0NWI+Nhs/4pg3KB4ZH19122EVtG4qSepLWcSfcad8hdyJ8eUH A==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="389888357" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="389888357" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:16:31 -0800 X-ExtLoopCount2: 2 from 10.237.72.184 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="768338522" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="768338522" Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184]) by fmsmga002.fm.intel.com with ESMTP; 19 Jan 2023 10:16:30 -0800 Received: from ash by ubik with local (Exim 4.96) (envelope-from ) id 1pIZSN-00EPLf-25 for linux-kernel@vger.kernel.org; Thu, 19 Jan 2023 20:16:11 +0200 X-Original-To: alexander.shishkin@linux.intel.com Received: from linux.intel.com [10.54.29.200] by ubik.fi.intel.com with IMAP (fetchmail-6.4.29) for (single-drop); Thu, 19 Jan 2023 15:59:07 +0200 (EET) Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id 3FE62580AE0; Thu, 19 Jan 2023 05:57:19 -0800 (PST) X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993981" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993981" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:15 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Alexander Shishkin , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Subject: [PATCH v1 5/6] virtio_net: Guard against buffer length overflow in xdp_linearize_page() Date: Thu, 19 Jan 2023 15:57:20 +0200 Message-Id: <20230119135721.83345-6-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755476050653504021?= X-GMAIL-MSGID: =?utf-8?q?1755476050653504021?= When reassembling incoming buffers to an xdp_page, there is a potential integer overflow in the buffer size test and trigger and out of bounds memcpy(). Fix this by reordering the test so that both sides are of the same signedness. Signed-off-by: Alexander Shishkin Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Jesper Dangaard Brouer Cc: John Fastabend Cc: David S. Miller Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni --- drivers/net/virtio_net.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 7723b2a49d8e..dfa51dd95f63 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -751,8 +751,10 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, /* guard against a misconfigured or uncooperative backend that * is sending packet larger than the MTU. + * At the same time, make sure that an especially uncooperative + * backend can't overflow the test by supplying a large buflen. */ - if ((page_off + buflen + tailroom) > PAGE_SIZE) { + if (buflen > PAGE_SIZE - page_off - tailroom) { put_page(p); goto err_buf; } From patchwork Thu Jan 19 13:57:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Shishkin X-Patchwork-Id: 45891 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp475497wrn; Thu, 19 Jan 2023 10:17:49 -0800 (PST) X-Google-Smtp-Source: AMrXdXsbPNi5Zc3scrlECgEdu3PAeTPTAmnP6Q+kEk0PuewGeDOTHnWPUq0M4OB1ixMOqjcUDKV6 X-Received: by 2002:a05:6a20:d68c:b0:b8:65b8:6a4e with SMTP id it12-20020a056a20d68c00b000b865b86a4emr13836088pzb.45.1674152268736; Thu, 19 Jan 2023 10:17:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674152268; cv=none; d=google.com; s=arc-20160816; b=pKG4n+3aQuWn7iSo2h56By7L6jvlIgewg2HN5GgKMF71TS9Zp7U/LSx1p/wN9UUuIX MxG8hpa6Flf17P7bdAKhnCqTlsueJpMMWbqLpEpSwNVzNoE1o1IvjJRxjCgNOkIzB5ri LGumnvxEaeE6e+Fmo0bnGc3zD77rzF77dx7vxTGxib9Z5a0ttCt3BxcfO0UQpf+Vg3EW ckhjB+dYqzt6YY/sJXsAUHj3vm4GaUA1wAzvejERV1A65DWaXplDxSb2z9TCCLfe5Dvg KP9aSpvF/R9Yp1+ZDmh+iHepI4FS9irS+1tHA952nQNoS+1CU5+1XKvFBU5qChTasbef eKVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=BgwGcYPWJ+Tf0jmufmXmebnN8VLYoyThixFzFq08+P0=; b=AeYT9NEFR4mJuwJVDBWftLhdq8HisakwPp4+Zisu7CHufej8NCHG//FewydwNc4sSV vW6dfS5GO6CYZvXyiuyhpVb5BgRI0s14brppvU7Yr87cLqdD4/eEYRRlOHzdLRlRG1MI wQ0qhWFcKEO0dp12ICbL+OuX/jc7YjRd9UVX06AXh95Ig32X132zHGrbDdHFH0htguoJ M7lGU2R//VF16c8JPevQkjYJx+TmxOX8JEnlENhJ7tMwHOjP9kEyvlVewFSoR8FYHGvY aRRuOdPcFTnzC9AusFIMCAhpLV4knnz6U2PuFSEGTwPP//k3xYc40P7b5ZHIkKD6TpzJ JRdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=VhXjebDF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w4-20020a656944000000b0049ceae025casi23289008pgq.604.2023.01.19.10.17.36; Thu, 19 Jan 2023 10:17:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=VhXjebDF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229964AbjASSQI (ORCPT + 99 others); Thu, 19 Jan 2023 13:16:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229895AbjASSQG (ORCPT ); Thu, 19 Jan 2023 13:16:06 -0500 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 444108EFEB for ; Thu, 19 Jan 2023 10:16:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674152165; x=1705688165; h=resent-from:resent-date:resent-message-id:resent-to:from: to:cc:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=l9H/TKCUR8aTdpw58Up2LgmeAs0CY/BRgs131VlxrwU=; b=VhXjebDFhDVXTpFDZynfznYZ1FP/S/FcDFWTpDtTjy43NsIdaaoM1bqc dF0AZFFTT9JYf+6igzfjqfQBpv4wgxx6oBFrX5StKEqcxjL8FgYkQGKQh tn6MKxh4C1JNNJNsQ/jQBQvBNEr3uTvwb8ajTnYBgxu9u5tHY0MbpPo6T UpaI/E2b1/BA97Cou5YCrseBeM94kKzEWctRWSJ3YqQ7k59aGD5EV3mPv bBfYR8UEQjF60Ta1XbbNV6sNZDqQnlDeT//v5uxytCgf0MshTPwiYrKSO rqV9zzJqqnsx5oH0YGQHL4QWtRmkL2Wlf2am9CH0oT9+QAqbE2x4vLp0G g==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="305045434" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="305045434" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:16:04 -0800 X-ExtLoopCount2: 2 from 10.237.72.184 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="610158893" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="610158893" Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184]) by orsmga003.jf.intel.com with ESMTP; 19 Jan 2023 10:16:04 -0800 Received: from ash by ubik with local (Exim 4.96) (envelope-from ) id 1pIZRw-00EPLa-2Z for linux-kernel@vger.kernel.org; Thu, 19 Jan 2023 20:15:44 +0200 X-Original-To: alexander.shishkin@linux.intel.com Received: from linux.intel.com [10.54.29.200] by ubik.fi.intel.com with IMAP (fetchmail-6.4.29) for (single-drop); Thu, 19 Jan 2023 15:59:08 +0200 (EET) Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id 6A51B580AE0; Thu, 19 Jan 2023 05:57:21 -0800 (PST) X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988994004" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988994004" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:19 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Alexander Shishkin Subject: [PATCH v1 6/6] virtio_ring: Prevent bounds check bypass on descriptor index Date: Thu, 19 Jan 2023 15:57:21 +0200 Message-Id: <20230119135721.83345-7-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_PASS, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1755475889097472610?= X-GMAIL-MSGID: =?utf-8?q?1755475889097472610?= The descriptor index in virtqueue_get_buf_ctx_split() comes from the device/VMM.a Use array_index_nospec() to prevent the CPU from speculating beyond the descriptor array bounds and providing a primitive for building a side channel. Signed-off-by: Alexander Shishkin --- drivers/virtio/virtio_ring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index 2e7689bb933b..c42d070ab68d 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -819,6 +820,8 @@ static void *virtqueue_get_buf_ctx_split(struct virtqueue *_vq, BAD_RING(vq, "id %u out of range\n", i); return NULL; } + + i = array_index_nospec(i, vq->split.vring.num); if (unlikely(!vq->split.desc_state[i].data)) { BAD_RING(vq, "id %u is not a head!\n", i); return NULL;