* [PATCH] scsi: storvsc: Add validation for untrusted Hyper-V values
@ 2020-07-06 16:09 Andres Beltran
2020-07-06 16:28 ` Michael Kelley
2020-07-08 6:06 ` Martin K. Petersen
0 siblings, 2 replies; 3+ messages in thread
From: Andres Beltran @ 2020-07-06 16:09 UTC (permalink / raw)
To: kys, haiyangz, sthemmin, wei.liu
Cc: linux-hyperv, linux-kernel, mikelley, parri.andrea, skarade,
Andres Beltran, James E . J . Bottomley, Martin K . Petersen,
linux-scsi
For additional robustness in the face of Hyper-V errors or malicious
behavior, validate all values that originate from packets that
Hyper-V has sent to the guest. Ensure that invalid values cannot
cause data being copied out of the bounds of the source buffer
when calling memcpy. Ensure that outgoing packets do not have any
leftover guest memory that has not been zeroed out.
Cc: James E.J. Bottomley <jejb@linux.ibm.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Andres Beltran <lkmlabelt@gmail.com>
---
drivers/scsi/storvsc_drv.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 6d2df1f0fe6d..5fcc555a67a4 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1133,6 +1133,10 @@ static void storvsc_command_completion(struct storvsc_cmd_request *cmd_request,
data_transfer_length = 0;
}
+ /* Validate data_transfer_length (from Hyper-V) */
+ if (data_transfer_length > cmd_request->payload->range.len)
+ data_transfer_length = cmd_request->payload->range.len;
+
scsi_set_resid(scmnd,
cmd_request->payload->range.len - data_transfer_length);
@@ -1173,6 +1177,11 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device,
/* Copy over the status...etc */
stor_pkt->vm_srb.scsi_status = vstor_packet->vm_srb.scsi_status;
stor_pkt->vm_srb.srb_status = vstor_packet->vm_srb.srb_status;
+
+ /* Validate sense_info_length (from Hyper-V) */
+ if (vstor_packet->vm_srb.sense_info_length > sense_buffer_size)
+ vstor_packet->vm_srb.sense_info_length = sense_buffer_size;
+
stor_pkt->vm_srb.sense_info_length =
vstor_packet->vm_srb.sense_info_length;
@@ -1623,6 +1632,7 @@ static int storvsc_host_reset_handler(struct scsi_cmnd *scmnd)
request = &stor_device->reset_request;
vstor_packet = &request->vstor_packet;
+ memset(vstor_packet, 0, sizeof(struct vstor_packet));
init_completion(&request->wait_event);
@@ -1736,6 +1746,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
/* Setup the cmd request */
cmd_request->cmd = scmnd;
+ memset(&cmd_request->vstor_packet, 0, sizeof(struct vstor_packet));
vm_srb = &cmd_request->vstor_packet.vm_srb;
vm_srb->win8_extension.time_out_value = 60;
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [PATCH] scsi: storvsc: Add validation for untrusted Hyper-V values
2020-07-06 16:09 [PATCH] scsi: storvsc: Add validation for untrusted Hyper-V values Andres Beltran
@ 2020-07-06 16:28 ` Michael Kelley
2020-07-08 6:06 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Michael Kelley @ 2020-07-06 16:28 UTC (permalink / raw)
To: Andres Beltran, KY Srinivasan, Haiyang Zhang, Stephen Hemminger, wei.liu
Cc: linux-hyperv, linux-kernel, parri.andrea, Saruhan Karademir,
James E . J . Bottomley, Martin K . Petersen, linux-scsi
From: Andres Beltran <lkmlabelt@gmail.com> Sent: Monday, July 6, 2020 9:09 AM
>
> For additional robustness in the face of Hyper-V errors or malicious
> behavior, validate all values that originate from packets that
> Hyper-V has sent to the guest. Ensure that invalid values cannot
> cause data being copied out of the bounds of the source buffer
> when calling memcpy. Ensure that outgoing packets do not have any
> leftover guest memory that has not been zeroed out.
>
> Cc: James E.J. Bottomley <jejb@linux.ibm.com>
> Cc: Martin K. Petersen <martin.petersen@oracle.com>
> Cc: linux-scsi@vger.kernel.org
> Signed-off-by: Andres Beltran <lkmlabelt@gmail.com>
> ---
> drivers/scsi/storvsc_drv.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi: storvsc: Add validation for untrusted Hyper-V values
2020-07-06 16:09 [PATCH] scsi: storvsc: Add validation for untrusted Hyper-V values Andres Beltran
2020-07-06 16:28 ` Michael Kelley
@ 2020-07-08 6:06 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2020-07-08 6:06 UTC (permalink / raw)
To: haiyangz, kys, sthemmin, Andres Beltran, wei.liu
Cc: Martin K . Petersen, mikelley, James E . J . Bottomley,
linux-scsi, parri.andrea, linux-kernel, skarade, linux-hyperv
On Mon, 6 Jul 2020 12:09:28 -0400, Andres Beltran wrote:
> For additional robustness in the face of Hyper-V errors or malicious
> behavior, validate all values that originate from packets that
> Hyper-V has sent to the guest. Ensure that invalid values cannot
> cause data being copied out of the bounds of the source buffer
> when calling memcpy. Ensure that outgoing packets do not have any
> leftover guest memory that has not been zeroed out.
Applied to 5.9/scsi-queue, thanks!
[1/1] scsi: storvsc: Add validation for untrusted Hyper-V values
https://git.kernel.org/mkp/scsi/c/0a76566595bf
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-08 6:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-06 16:09 [PATCH] scsi: storvsc: Add validation for untrusted Hyper-V values Andres Beltran
2020-07-06 16:28 ` Michael Kelley
2020-07-08 6:06 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).