From: Yongji Xie <xieyongji@bytedance.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Stefano Garzarella" <sgarzare@redhat.com>,
"Parav Pandit" <parav@nvidia.com>,
"Christoph Hellwig" <hch@infradead.org>,
"Christian Brauner" <christian.brauner@canonical.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Matthew Wilcox" <willy@infradead.org>,
viro@zeniv.linux.org.uk, "Jens Axboe" <axboe@kernel.dk>,
bcrl@kvack.org, "Jonathan Corbet" <corbet@lwn.net>,
"Mika Penttilä" <mika.penttila@nextfour.com>,
joro@8bytes.org,
virtualization <virtualization@lists.linux-foundation.org>,
netdev@vger.kernel.org, kvm <kvm@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, iommu@lists.linux-foundation.org,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: Re: [PATCH v7 04/12] virtio-blk: Add validation for block size in config space
Date: Thu, 20 May 2021 13:25:16 +0800 [thread overview]
Message-ID: <CACycT3veubBFCg9omxLDJJFP7B7QH8++Q+tKmb_M_hmNS45cmw@mail.gmail.com> (raw)
In-Reply-To: <20210519144206.GF32682@kadam>
On Wed, May 19, 2021 at 10:42 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Wed, May 19, 2021 at 09:39:20PM +0800, Yongji Xie wrote:
> > On Mon, May 17, 2021 at 5:56 PM Xie Yongji <xieyongji@bytedance.com> wrote:
> > >
> > > This ensures that we will not use an invalid block size
> > > in config space (might come from an untrusted device).
>
> I looked at if I should add this as an untrusted function so that Smatch
> could find these sorts of bugs but this is reading data from the host so
> there has to be some level of trust...
>
It would be great if Smatch could detect this case if possible. The
data might be trusted in traditional VM cases. But now the data can be
read from a userspace daemon when VDUSE is enabled.
> I should add some more untrusted data kvm functions to Smatch. Right
> now I only have kvm_register_read() and I've added kvm_read_guest_virt()
> just now.
>
> > >
> > > Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
> > > ---
> > > drivers/block/virtio_blk.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
> > > index ebb4d3fe803f..c848aa36d49b 100644
> > > --- a/drivers/block/virtio_blk.c
> > > +++ b/drivers/block/virtio_blk.c
> > > @@ -826,7 +826,7 @@ static int virtblk_probe(struct virtio_device *vdev)
> > > err = virtio_cread_feature(vdev, VIRTIO_BLK_F_BLK_SIZE,
> > > struct virtio_blk_config, blk_size,
> > > &blk_size);
> > > - if (!err)
> > > + if (!err && blk_size > 0 && blk_size <= max_size)
> >
> > The check here is incorrect. I will use PAGE_SIZE as the maximum
> > boundary in the new version.
>
> What does this bug look like to the user?
The kernel will panic if the block size is larger than PAGE_SIZE.
> A minimum block size of 1 seems pretty crazy. Surely the minimum should be > higher?
>
Yes, 512 is better here.
Thanks,
Yongji
WARNING: multiple messages have this Message-ID (diff)
From: Yongji Xie <xieyongji@bytedance.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Jens Axboe" <axboe@kernel.dk>,
"Jonathan Corbet" <corbet@lwn.net>,
linux-kernel <linux-kernel@vger.kernel.org>,
kvm <kvm@vger.kernel.org>, "Michael S. Tsirkin" <mst@redhat.com>,
netdev@vger.kernel.org, "Jason Wang" <jasowang@redhat.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
iommu@lists.linux-foundation.org,
"Matthew Wilcox" <willy@infradead.org>,
virtualization <virtualization@lists.linux-foundation.org>,
"Christoph Hellwig" <hch@infradead.org>,
"Christian Brauner" <christian.brauner@canonical.com>,
bcrl@kvack.org, "Parav Pandit" <parav@nvidia.com>,
viro@zeniv.linux.org.uk, "Stefan Hajnoczi" <stefanha@redhat.com>,
linux-fsdevel@vger.kernel.org,
"Mika Penttilä" <mika.penttila@nextfour.com>,
"Stefano Garzarella" <sgarzare@redhat.com>
Subject: Re: Re: [PATCH v7 04/12] virtio-blk: Add validation for block size in config space
Date: Thu, 20 May 2021 13:25:16 +0800 [thread overview]
Message-ID: <CACycT3veubBFCg9omxLDJJFP7B7QH8++Q+tKmb_M_hmNS45cmw@mail.gmail.com> (raw)
In-Reply-To: <20210519144206.GF32682@kadam>
On Wed, May 19, 2021 at 10:42 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Wed, May 19, 2021 at 09:39:20PM +0800, Yongji Xie wrote:
> > On Mon, May 17, 2021 at 5:56 PM Xie Yongji <xieyongji@bytedance.com> wrote:
> > >
> > > This ensures that we will not use an invalid block size
> > > in config space (might come from an untrusted device).
>
> I looked at if I should add this as an untrusted function so that Smatch
> could find these sorts of bugs but this is reading data from the host so
> there has to be some level of trust...
>
It would be great if Smatch could detect this case if possible. The
data might be trusted in traditional VM cases. But now the data can be
read from a userspace daemon when VDUSE is enabled.
> I should add some more untrusted data kvm functions to Smatch. Right
> now I only have kvm_register_read() and I've added kvm_read_guest_virt()
> just now.
>
> > >
> > > Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
> > > ---
> > > drivers/block/virtio_blk.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
> > > index ebb4d3fe803f..c848aa36d49b 100644
> > > --- a/drivers/block/virtio_blk.c
> > > +++ b/drivers/block/virtio_blk.c
> > > @@ -826,7 +826,7 @@ static int virtblk_probe(struct virtio_device *vdev)
> > > err = virtio_cread_feature(vdev, VIRTIO_BLK_F_BLK_SIZE,
> > > struct virtio_blk_config, blk_size,
> > > &blk_size);
> > > - if (!err)
> > > + if (!err && blk_size > 0 && blk_size <= max_size)
> >
> > The check here is incorrect. I will use PAGE_SIZE as the maximum
> > boundary in the new version.
>
> What does this bug look like to the user?
The kernel will panic if the block size is larger than PAGE_SIZE.
> A minimum block size of 1 seems pretty crazy. Surely the minimum should be > higher?
>
Yes, 512 is better here.
Thanks,
Yongji
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2021-05-20 5:25 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 9:55 [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-17 9:55 ` [PATCH v7 01/12] iova: Export alloc_iova_fast() Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-26 2:36 ` Jason Wang
2021-05-26 2:36 ` Jason Wang
2021-05-26 2:36 ` Jason Wang
2021-05-26 2:43 ` Yongji Xie
2021-05-26 2:43 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 02/12] file: Export receive_fd() to modules Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-20 6:18 ` Al Viro
2021-05-20 6:18 ` Al Viro
2021-05-20 6:18 ` Al Viro
2021-05-20 6:32 ` Yongji Xie
2021-05-20 6:32 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 03/12] eventfd: Increase the recursion depth of eventfd_signal() Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-17 9:55 ` [PATCH v7 04/12] virtio-blk: Add validation for block size in config space Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-19 13:39 ` Yongji Xie
2021-05-19 13:39 ` Yongji Xie
2021-05-19 14:42 ` Dan Carpenter
2021-05-19 14:42 ` Dan Carpenter
2021-05-19 14:42 ` Dan Carpenter
2021-05-20 5:25 ` Yongji Xie [this message]
2021-05-20 5:25 ` Yongji Xie
2021-05-20 5:43 ` Michael S. Tsirkin
2021-05-20 5:43 ` Michael S. Tsirkin
2021-05-20 5:43 ` Michael S. Tsirkin
2021-05-20 7:08 ` Yongji Xie
2021-05-20 7:08 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 05/12] virtio_scsi: Add validation for residual bytes from response Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-26 2:41 ` Jason Wang
2021-05-26 2:41 ` Jason Wang
2021-05-26 2:41 ` Jason Wang
2021-05-17 9:55 ` [PATCH v7 06/12] vhost-iotlb: Add an opaque pointer for vhost IOTLB Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-17 9:55 ` [PATCH v7 07/12] vdpa: Add an opaque pointer for vdpa_config_ops.dma_map() Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-17 9:55 ` [PATCH v7 08/12] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-17 9:55 ` [PATCH v7 09/12] vdpa: Support transferring virtual addressing during DMA mapping Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-17 9:55 ` [PATCH v7 10/12] vduse: Implement an MMU-based IOMMU driver Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-17 9:55 ` [PATCH v7 11/12] vduse: Introduce VDUSE - vDPA Device in Userspace Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-20 6:28 ` Al Viro
2021-05-20 6:28 ` Al Viro
2021-05-20 6:28 ` Al Viro
2021-05-20 7:03 ` Yongji Xie
2021-05-20 7:03 ` Yongji Xie
2021-05-27 4:12 ` Jason Wang
2021-05-27 4:12 ` Jason Wang
2021-05-27 4:12 ` Jason Wang
2021-05-27 4:57 ` Yongji Xie
2021-05-27 4:57 ` Yongji Xie
2021-05-27 5:00 ` Jason Wang
2021-05-27 5:00 ` Jason Wang
2021-05-27 5:00 ` Jason Wang
2021-05-27 5:08 ` Yongji Xie
2021-05-27 5:08 ` Yongji Xie
2021-05-27 5:40 ` Jason Wang
2021-05-27 5:40 ` Jason Wang
2021-05-27 5:40 ` Jason Wang
2021-05-27 7:34 ` Yongji Xie
2021-05-27 7:34 ` Yongji Xie
2021-05-27 8:41 ` Jason Wang
2021-05-27 8:41 ` Jason Wang
2021-05-27 8:41 ` Jason Wang
2021-05-27 8:43 ` Jason Wang
2021-05-27 8:43 ` Jason Wang
2021-05-27 8:43 ` Jason Wang
2021-05-27 10:14 ` Yongji Xie
2021-05-27 10:14 ` Yongji Xie
2021-05-28 1:33 ` Jason Wang
2021-05-28 1:33 ` Jason Wang
2021-05-28 1:33 ` Jason Wang
2021-05-28 3:54 ` Yongji Xie
2021-05-28 3:54 ` Yongji Xie
2021-05-28 6:38 ` Jason Wang
2021-05-28 6:38 ` Jason Wang
2021-05-28 6:38 ` Jason Wang
2021-05-27 13:17 ` Yongji Xie
2021-05-27 13:17 ` Yongji Xie
2021-05-28 2:31 ` Jason Wang
2021-05-28 2:31 ` Jason Wang
2021-05-28 2:31 ` Jason Wang
2021-05-31 4:27 ` Yongji Xie
2021-05-31 4:27 ` Yongji Xie
2021-05-31 4:38 ` Jason Wang
2021-05-31 4:38 ` Jason Wang
2021-05-31 4:38 ` Jason Wang
2021-05-31 6:24 ` Yongji Xie
2021-05-31 6:24 ` Yongji Xie
2021-05-31 4:56 ` Greg KH
2021-05-31 4:56 ` Greg KH
2021-05-31 4:56 ` Greg KH
2021-05-31 6:19 ` Yongji Xie
2021-05-31 6:19 ` Yongji Xie
2021-05-31 6:32 ` Greg KH
2021-05-31 6:32 ` Greg KH
2021-05-31 6:32 ` Greg KH
2021-05-31 7:13 ` Yongji Xie
2021-05-31 7:13 ` Yongji Xie
2021-05-17 9:55 ` [PATCH v7 12/12] Documentation: Add documentation for VDUSE Xie Yongji
2021-05-17 9:55 ` Xie Yongji
2021-05-20 6:06 ` [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace Michael S. Tsirkin
2021-05-20 6:06 ` Michael S. Tsirkin
2021-05-20 6:06 ` Michael S. Tsirkin
2021-05-20 9:06 ` Yongji Xie
2021-05-20 9:06 ` Yongji Xie
2021-05-25 6:40 ` Jason Wang
2021-05-25 6:40 ` Jason Wang
2021-05-25 6:40 ` Jason Wang
2021-05-25 6:48 ` Michael S. Tsirkin
2021-05-25 6:48 ` Michael S. Tsirkin
2021-05-25 6:48 ` Michael S. Tsirkin
2021-05-25 7:11 ` Jason Wang
2021-05-25 7:11 ` Jason Wang
2021-05-25 7:11 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACycT3veubBFCg9omxLDJJFP7B7QH8++Q+tKmb_M_hmNS45cmw@mail.gmail.com \
--to=xieyongji@bytedance.com \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=christian.brauner@canonical.com \
--cc=corbet@lwn.net \
--cc=dan.carpenter@oracle.com \
--cc=hch@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=jasowang@redhat.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.penttila@nextfour.com \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=parav@nvidia.com \
--cc=rdunlap@infradead.org \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=virtualization@lists.linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.