From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
To: "Andrea Parri (Microsoft)" <parri.andrea@gmail.com>
Cc: KY Srinivasan <kys@microsoft.com>,
Haiyang Zhang <haiyangz@microsoft.com>,
Stephen Hemminger <sthemmin@microsoft.com>,
Wei Liu <wei.liu@kernel.org>, Dexuan Cui <decui@microsoft.com>,
Michael Kelley <mikelley@microsoft.com>,
Wei Hu <weh@microsoft.com>, Rob Herring <robh@kernel.org>,
Krzysztof Wilczynski <kw@linux.com>,
Bjorn Helgaas <bhelgaas@google.com>,
linux-hyperv@vger.kernel.org, linux-pci@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 2/6] PCI: hv: Use vmbus_requestor to generate transaction IDs for VMbus hardening
Date: Mon, 25 Apr 2022 17:50:37 +0100 [thread overview]
Message-ID: <20220425165037.GA17718@lpieralisi> (raw)
In-Reply-To: <20220419122325.10078-3-parri.andrea@gmail.com>
On Tue, Apr 19, 2022 at 02:23:21PM +0200, Andrea Parri (Microsoft) wrote:
> Currently, pointers to guest memory are passed to Hyper-V as transaction
> IDs in hv_pci. In the face of errors or malicious behavior in Hyper-V,
> hv_pci should not expose or trust the transaction IDs returned by
> Hyper-V to be valid guest memory addresses. Instead, use small integers
> generated by vmbus_requestor as request (transaction) IDs.
>
> Suggested-by: Michael Kelley <mikelley@microsoft.com>
> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
> ---
> drivers/pci/controller/pci-hyperv.c | 39 +++++++++++++++++++++--------
> 1 file changed, 29 insertions(+), 10 deletions(-)
Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
> index 88b3b56d05228..0252b4bbc8d15 100644
> --- a/drivers/pci/controller/pci-hyperv.c
> +++ b/drivers/pci/controller/pci-hyperv.c
> @@ -91,6 +91,13 @@ static enum pci_protocol_version_t pci_protocol_versions[] = {
> /* space for 32bit serial number as string */
> #define SLOT_NAME_SIZE 11
>
> +/*
> + * Size of requestor for VMbus; the value is based on the observation
> + * that having more than one request outstanding is 'rare', and so 64
> + * should be generous in ensuring that we don't ever run out.
> + */
> +#define HV_PCI_RQSTOR_SIZE 64
> +
> /*
> * Message Types
> */
> @@ -1407,7 +1414,7 @@ static void hv_int_desc_free(struct hv_pci_dev *hpdev,
> int_pkt->wslot.slot = hpdev->desc.win_slot.slot;
> int_pkt->int_desc = *int_desc;
> vmbus_sendpacket(hpdev->hbus->hdev->channel, int_pkt, sizeof(*int_pkt),
> - (unsigned long)&ctxt.pkt, VM_PKT_DATA_INBAND, 0);
> + 0, VM_PKT_DATA_INBAND, 0);
> kfree(int_desc);
> }
>
> @@ -2649,7 +2656,7 @@ static void hv_eject_device_work(struct work_struct *work)
> ejct_pkt->message_type.type = PCI_EJECTION_COMPLETE;
> ejct_pkt->wslot.slot = hpdev->desc.win_slot.slot;
> vmbus_sendpacket(hbus->hdev->channel, ejct_pkt,
> - sizeof(*ejct_pkt), (unsigned long)&ctxt.pkt,
> + sizeof(*ejct_pkt), 0,
> VM_PKT_DATA_INBAND, 0);
>
> /* For the get_pcichild() in hv_pci_eject_device() */
> @@ -2696,8 +2703,9 @@ static void hv_pci_onchannelcallback(void *context)
> const int packet_size = 0x100;
> int ret;
> struct hv_pcibus_device *hbus = context;
> + struct vmbus_channel *chan = hbus->hdev->channel;
> u32 bytes_recvd;
> - u64 req_id;
> + u64 req_id, req_addr;
> struct vmpacket_descriptor *desc;
> unsigned char *buffer;
> int bufferlen = packet_size;
> @@ -2715,8 +2723,8 @@ static void hv_pci_onchannelcallback(void *context)
> return;
>
> while (1) {
> - ret = vmbus_recvpacket_raw(hbus->hdev->channel, buffer,
> - bufferlen, &bytes_recvd, &req_id);
> + ret = vmbus_recvpacket_raw(chan, buffer, bufferlen,
> + &bytes_recvd, &req_id);
>
> if (ret == -ENOBUFS) {
> kfree(buffer);
> @@ -2743,11 +2751,14 @@ static void hv_pci_onchannelcallback(void *context)
> switch (desc->type) {
> case VM_PKT_COMP:
>
> - /*
> - * The host is trusted, and thus it's safe to interpret
> - * this transaction ID as a pointer.
> - */
> - comp_packet = (struct pci_packet *)req_id;
> + req_addr = chan->request_addr_callback(chan, req_id);
> + if (req_addr == VMBUS_RQST_ERROR) {
> + dev_err(&hbus->hdev->device,
> + "Invalid transaction ID %llx\n",
> + req_id);
> + break;
> + }
> + comp_packet = (struct pci_packet *)req_addr;
> response = (struct pci_response *)buffer;
> comp_packet->completion_func(comp_packet->compl_ctxt,
> response,
> @@ -3428,6 +3439,10 @@ static int hv_pci_probe(struct hv_device *hdev,
> goto free_dom;
> }
>
> + hdev->channel->next_request_id_callback = vmbus_next_request_id;
> + hdev->channel->request_addr_callback = vmbus_request_addr;
> + hdev->channel->rqstor_size = HV_PCI_RQSTOR_SIZE;
> +
> ret = vmbus_open(hdev->channel, pci_ring_size, pci_ring_size, NULL, 0,
> hv_pci_onchannelcallback, hbus);
> if (ret)
> @@ -3758,6 +3773,10 @@ static int hv_pci_resume(struct hv_device *hdev)
>
> hbus->state = hv_pcibus_init;
>
> + hdev->channel->next_request_id_callback = vmbus_next_request_id;
> + hdev->channel->request_addr_callback = vmbus_request_addr;
> + hdev->channel->rqstor_size = HV_PCI_RQSTOR_SIZE;
> +
> ret = vmbus_open(hdev->channel, pci_ring_size, pci_ring_size, NULL, 0,
> hv_pci_onchannelcallback, hbus);
> if (ret)
> --
> 2.25.1
>
next prev parent reply other threads:[~2022-04-25 16:50 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-19 12:23 [PATCH v2 0/6] PCI: hv: VMbus requestor and related fixes Andrea Parri (Microsoft)
2022-04-19 12:23 ` [PATCH v2 1/6] Drivers: hv: vmbus: Fix handling of messages with transaction ID of zero Andrea Parri (Microsoft)
2022-04-19 12:23 ` [PATCH v2 2/6] PCI: hv: Use vmbus_requestor to generate transaction IDs for VMbus hardening Andrea Parri (Microsoft)
2022-04-19 15:36 ` Michael Kelley (LINUX)
2022-04-25 16:50 ` Lorenzo Pieralisi [this message]
2022-04-19 12:23 ` [PATCH v2 3/6] Drivers: hv: vmbus: Introduce vmbus_sendpacket_getid() Andrea Parri (Microsoft)
2022-04-19 12:23 ` [PATCH v2 4/6] Drivers: hv: vmbus: Introduce vmbus_request_addr_match() Andrea Parri (Microsoft)
2022-04-19 15:37 ` Michael Kelley (LINUX)
2022-04-19 12:23 ` [PATCH v2 5/6] Drivers: hv: vmbus: Introduce {lock,unlock}_requestor() Andrea Parri (Microsoft)
2022-04-19 12:23 ` [PATCH v2 6/6] PCI: hv: Fix synchronization between channel callback and hv_compose_msi_msg() Andrea Parri (Microsoft)
2022-04-25 16:51 ` Lorenzo Pieralisi
2022-04-25 15:52 ` [PATCH v2 0/6] PCI: hv: VMbus requestor and related fixes Wei Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220425165037.GA17718@lpieralisi \
--to=lorenzo.pieralisi@arm.com \
--cc=bhelgaas@google.com \
--cc=decui@microsoft.com \
--cc=haiyangz@microsoft.com \
--cc=kw@linux.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mikelley@microsoft.com \
--cc=parri.andrea@gmail.com \
--cc=robh@kernel.org \
--cc=sthemmin@microsoft.com \
--cc=weh@microsoft.com \
--cc=wei.liu@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.